diff --git a/packages/akamai/2.1.2/LICENSE.txt b/packages/akamai/2.1.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/akamai/2.1.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/akamai/2.1.2/changelog.yml b/packages/akamai/2.1.2/changelog.yml new file mode 100755 index 0000000000..63f8caba79 --- /dev/null +++ b/packages/akamai/2.1.2/changelog.yml @@ -0,0 +1,71 @@ +# newer versions go on top +- version: "2.1.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "2.1.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.1.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3841 +- version: "2.0.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "2.0.0" + changes: + - description: Add dashboard. + type: enhancement + link: https://github.com/elastic/integrations/pull/3739 +- version: "1.1.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "1.1.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.0.1" + changes: + - description: improve the English in the readme file + type: enhancement + link: https://github.com/elastic/integrations/pull/3532 +- version: "1.0.0" + changes: + - description: Make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/3428 +- version: "0.2.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "0.1.3" + changes: + - description: Fix typo in config template for ignoring host enrichment + type: bugfix + link: https://github.com/elastic/integrations/pull/3092 +- version: "0.1.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.1.1" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2369 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/1643 diff --git a/packages/akamai/2.1.2/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/2.1.2/data_stream/siem/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..4efc3cf8ea --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/agent/stream/httpjson.yml.hbs @@ -0,0 +1,80 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +request.url: "{{api_host}}/siem/v1/configs/{{config_ids}}" +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +request.transforms: + - set: + target: url.params.from + value: "[[.cursor.last_execution_datetime]]" + default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' + - set: + target: url.params.to + value: '[[ (now (parseDuration "-1m")).Unix ]]' + - set: + target: header.XTimestamp + value: '[[ formatDate (now) "20060102T15:04:05-0700" ]]' + - set: + target: header.XSignatureBase + value: '[[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "{{client_token}}" "{{access_token}}" (.header.Get "XTimestamp") uuid ]]' + - set: + target: header.XSignatureKey + value: '[[ hmacBase64 "sha256" "{{client_secret}}" (.header.Get "XTimestamp") ]]' + - set: + target: header.XSignature + value: '[[ hmacBase64 "sha256" (.header.Get "XSignatureKey") "GET\t" .url.Scheme "\t" .url.Host "\t" .url.Path "?" .url.RawQuery "\t\t\t" (.header.Get "XSignatureBase") ]]' + - set: + target: header.Authorization + value: '[[ sprintf "%ssignature=%s" (.header.Get "XSignatureBase") (.header.Get "XSignature") ]]' + - delete: + target: header.XSignature + - delete: + target: header.XSignatureKey + - delete: + target: header.XSignatureBase + - delete: + target: header.XTimestamp + +response.decode_as: application/x-ndjson + +response.pagination: + - set: + target: url.params.offset + value: '[[ .last_event.offset ]]' + fail_on_template_error: true + - delete: + target: url.params.from + - delete: + target: url.params.to + +cursor: + last_execution_datetime: + value: '[[ (now (parseDuration "-1m")).Unix ]]' + +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/akamai/2.1.2/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/2.1.2/data_stream/siem/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..22817fede0 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,456 @@ +--- +description: Pipeline for parsing Akamai logs +processors: +- set: + field: ecs.version + value: '8.4.0' +- rename: + field: message + target_field: event.original +- json: + field: event.original + target_field: json +- drop: + if: 'ctx?.json?.offset != null' +- set: + field: observer.vendor + value: akamai +- set: + field: observer.type + value: proxy +- date: + field: json.httpMessage.start + formats: + - UNIX + timezone: UTC + target_field: "@timestamp" +- set: + field: "event.start" + copy_from: "@timestamp" +- rename: + field: json.httpMessage.status + target_field: http.response.status_code + ignore_missing: true +- convert: + field: http.response.status_code + type: long + ignore_missing: true +- rename: + field: json.httpMessage.bytes + target_field: http.response.bytes + ignore_missing: true +- convert: + field: http.response.bytes + type: long + ignore_missing: true +- rename: + field: json.httpMessage.requestId + target_field: http.request.id + ignore_missing: true +- set: + field: event.id + copy_from: http.request.id + ignore_empty_value: true +- fingerprint: + fields: + - http.request.id + target_field: "_id" + ignore_missing: true +- rename: + field: json.httpMessage.method + target_field: http.request.method + ignore_missing: true +- rename: + field: json.httpMessage.host + target_field: url.domain + ignore_missing: true +- urldecode: + field: json.httpMessage.path + target_field: url.path + ignore_missing: true +- urldecode: + field: json.httpMessage.query + target_field: url.query + ignore_missing: true +- rename: + field: json.httpMessage.port + target_field: url.port + ignore_missing: true +- convert: + field: url.port + type: long + ignore_missing: true +- urldecode: + field: json.httpMessage.responseHeaders + target_field: _tmp.response.headers + ignore_missing: true +- kv: + field: _tmp.response.headers + target_field: akamai.siem.response.headers + field_split: '\r\n' + value_split: ': ' + ignore_missing: true +- urldecode: + field: json.httpMessage.requestHeaders + target_field: _tmp.request.headers + ignore_missing: true +- kv: + field: _tmp.request.headers + target_field: akamai.siem.request.headers + field_split: '\r\n' + value_split: ': ' + ignore_missing: true +- script: + lang: painless + description: This script builds the `url.full` field out of the available `url.*` parts. + source: | + def full = ""; + if(ctx.url.scheme != null && ctx.url.scheme != "") { + full += ctx.url.scheme+"://"; + } + if(ctx.url.domain != null && ctx.url.domain != "") { + full += ctx.url.domain; + } + if(ctx.json.httpMessage.path != null && ctx.json.httpMessage.path != "") { + full += ctx.json.httpMessage.path; + } + if(ctx.json.httpMessage.query != null && ctx.json.httpMessage.query != "") { + full += "?"+ctx.json.httpMessage.query; + } + if(full != "") { + ctx.url.full = full + } +- dissect: + field: json.httpMessage.protocol + pattern: "%{network.protocol}/%{http.version}" + ignore_failure: true +- lowercase: + field: network.protocol + ignore_missing: true +- set: + field: network.transport + value: tcp + if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http' +- dissect: + field: json.httpMessage.tls + pattern: "%{tls.version_protocol}v%{tls.version}" + ignore_failure: true + ignore_missing: true +- lowercase: + field: tls.version_protocol + ignore_missing: true +- rename: + field: json.attackData.clientIP + target_field: source.address + ignore_missing: true +- convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- rename: + field: json.geo.country + target_field: source.geo.country_iso_code + ignore_missing: true + if: ctx?.source?.geo?.country_iso_code == null +- set: + field: source.geo.region_iso_code + value: "{{json.geo.country}}-{{json.geo.regionCode}}" + ignore_empty_value: true + if: ctx?.source?.geo?.region_iso_code == null +- rename: + field: json.geo.city + target_field: source.geo.city_name + ignore_missing: true + if: ctx?.source?.geo?.city_name == null +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- convert: + field: json.geo.asn + target_field: source.as.number + type: long + ignore_missing: true + if: ctx?.source?.as?.number == null +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +## Attack Data +- urldecode: + field: json.attackData.ruleActions + target_field: json.attackData.ruleActions + ignore_missing: true +- split: + field: json.attackData.ruleActions + target_field: json.attackData.ruleActions + separator: ';' + preserve_trailing: true +- urldecode: + field: json.attackData.ruleData + target_field: json.attackData.ruleData + ignore_missing: true +- split: + field: json.attackData.ruleData + target_field: json.attackData.ruleData + separator: ';' + preserve_trailing: true +- urldecode: + field: json.attackData.ruleMessages + target_field: json.attackData.ruleMessages + ignore_missing: true +- split: + field: json.attackData.ruleMessages + target_field: json.attackData.ruleMessages + separator: ';' + preserve_trailing: true +- urldecode: + field: json.attackData.ruleSelectors + target_field: json.attackData.ruleSelectors + ignore_missing: true +- split: + field: json.attackData.ruleSelectors + target_field: json.attackData.ruleSelectors + separator: ';' + preserve_trailing: true +- urldecode: + field: json.attackData.ruleTags + target_field: json.attackData.ruleTags + ignore_missing: true +- split: + field: json.attackData.ruleTags + target_field: json.attackData.ruleTags + separator: ';' + preserve_trailing: true +- urldecode: + field: json.attackData.ruleVersions + target_field: json.attackData.ruleVersions + ignore_missing: true +- split: + field: json.attackData.ruleVersions + target_field: json.attackData.ruleVersions + separator: ';' + preserve_trailing: true +- urldecode: + field: json.attackData.rules + target_field: json.attackData.rules + ignore_missing: true +- split: + field: json.attackData.rules + target_field: json.attackData.rules + separator: ';' + preserve_trailing: true +- script: + lang: painless + description: Base64 Decode the json.attackData.rule* fields + source: | + ArrayList items = new ArrayList(["rules", "ruleActions", "ruleData", "ruleMessages", "ruleTags", "ruleSelectors", "ruleVersions"]); + ArrayList rules_array = new ArrayList(); + ArrayList rule_actions = new ArrayList(); + ArrayList rule_tags = new ArrayList(); + for (def i = 0; i < ctx.json.attackData.rules.length; i++) { + HashMap map = new HashMap(); + for (def j = 0; j < items.length; j++) { + String key = items[j]; + if (i < ctx.json.attackData[key].length ) { + String value = ctx.json.attackData[key][i].replace(" ", "").decodeBase64(); + map.put(key, value); + if (key == "ruleTags") { + rule_tags.add(value.toLowerCase()); + } else if (key == "ruleActions") { + rule_actions.add(value.toLowerCase()); + } + } + } + rules_array.add(map); + } + ctx.akamai.siem.rules = rules_array; + ctx._rule_actions = rule_actions; + ctx._rule_tags = rule_tags; +- foreach: + field: _rule_actions + ignore_missing: true + processor: + append: + field: akamai.siem.rule_actions + value: '{{{_ingest._value}}}' + allow_duplicates: false +- remove: + field: _rule_actions + ignore_missing: true + ignore_failure: true +- foreach: + field: _rule_tags + ignore_missing: true + processor: + append: + field: akamai.siem.rule_tags + value: '{{{_ingest._value}}}' + allow_duplicates: false +- remove: + field: _rule_tags + ignore_missing: true + ignore_failure: true +- rename: + field: json.attackData.configId + target_field: akamai.siem.config_id + ignore_missing: true +- rename: + field: json.attackData.policyId + target_field: akamai.siem.policy_id + ignore_missing: true +- rename: + field: json.attackData.policyId + target_field: akamai.siem.policy_id + ignore_missing: true +- rename: + field: json.attackData.slowPostAction + target_field: akamai.siem.slow_post_action + ignore_missing: true +- convert: + field: json.attackData.slowPostRate + target_field: akamai.siem.slow_post_rate + type: long + ignore_missing: true +- rename: + field: json.attackData.clientReputation + target_field: akamai.siem.client_reputation + ignore_missing: true +- rename: + field: json.attackData.clientReputation + target_field: akamai.siem.client_reputation + ignore_missing: true +## Bot Data +- convert: + field: json.botData.botScore + target_field: akamai.siem.bot.score + type: long + ignore_missing: true +- convert: + field: json.botData.responseSegment + target_field: akamai.siem.bot.response_segment + type: long + ignore_missing: true +## Client Data +- rename: + field: json.clientData.appBundleId + target_field: akamai.siem.client_data.app_bundle_id + ignore_missing: true +- rename: + field: json.clientData.appVersion + target_field: akamai.siem.client_data.app_version + ignore_missing: true +- convert: + field: json.clientData.telemetryType + target_field: akamai.siem.client_data.telemetry_type + type: long + ignore_missing: true +- rename: + field: json.clientData.sdkVersion + target_field: akamai.siem.client_data.sdk_version + ignore_missing: true +## User Risk Data +- rename: + field: json.userRiskData.uuid + target_field: akamai.siem.user_risk.uuid + ignore_missing: true +- convert: + field: json.userRiskData.status + target_field: akamai.siem.user_risk.status + type: long + ignore_missing: true +- convert: + field: json.userRiskData.score + target_field: akamai.siem.user_risk.score + type: long + ignore_missing: true +- convert: + field: json.userRiskData.allow + target_field: akamai.siem.user_risk.allow + type: long + ignore_missing: true +- kv: + field: json.userRiskData.risk + target_field: akamai.siem.user_risk.risk + field_split: '\|' + value_split: ':' + ignore_missing: true +- kv: + field: json.userRiskData.trust + target_field: akamai.siem.user_risk.trust + field_split: '\|' + value_split: ':' + ignore_missing: true +- kv: + field: json.userRiskData.general + target_field: akamai.siem.user_risk.general + field_split: '\|' + value_split: ':' + ignore_missing: true +## +- append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false +- set: + field: client + copy_from: source +- set: + field: event.category + value: network +- set: + field: event.kind + value: event +- remove: + field: + - json + - _tmp + ignore_missing: true +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/akamai/2.1.2/data_stream/siem/fields/agent.yml b/packages/akamai/2.1.2/data_stream/siem/fields/agent.yml new file mode 100755 index 0000000000..4d9a6f7b36 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/fields/agent.yml @@ -0,0 +1,114 @@ +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/akamai/2.1.2/data_stream/siem/fields/base-fields.yml b/packages/akamai/2.1.2/data_stream/siem/fields/base-fields.yml new file mode 100755 index 0000000000..90bd5c6753 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: akamai +- name: event.dataset + type: constant_keyword + description: Event dataset + value: akamai.siem +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/akamai/2.1.2/data_stream/siem/fields/beats.yml b/packages/akamai/2.1.2/data_stream/siem/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/akamai/2.1.2/data_stream/siem/fields/ecs.yml b/packages/akamai/2.1.2/data_stream/siem/fields/ecs.yml new file mode 100755 index 0000000000..0a4253495c --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/fields/ecs.yml @@ -0,0 +1,267 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: Port of the client. + name: client.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: Password of the request. + name: url.password + type: keyword +- description: Port of the request, such as 443. + name: url.port + type: long +- description: Username of the request. + name: url.username + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: Normalized lowercase protocol name parsed from original string. + name: tls.version_protocol + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: |- + A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + name: http.request.id + type: keyword +- description: HTTP version. + name: http.version + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword diff --git a/packages/akamai/2.1.2/data_stream/siem/fields/fields.yml b/packages/akamai/2.1.2/data_stream/siem/fields/fields.yml new file mode 100755 index 0000000000..e08ab18e17 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/fields/fields.yml @@ -0,0 +1,120 @@ +- name: akamai.siem + type: group + release: beta + default_field: false + description: > + Fields for Akamai SIEM Logs + + fields: + - name: response.headers + type: flattened + description: > + HTTP response headers + + - name: request.headers + type: flattened + description: > + HTTP Request headers + + - name: rules + type: nested + description: > + Rules triggered by this request + + - name: rule_actions + type: keyword + description: > + Actions taken for this request. + + - name: rule_tags + type: keyword + description: > + The set of categories for the triggered rule. + + - name: config_id + type: keyword + description: > + ID of the Security Configuration applied to the request. + + - name: policy_id + type: keyword + description: > + ID of the Firewall policy applied to the request. + + - name: slow_post_action + type: keyword + description: > + Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). + + - name: slow_post_rate + type: long + description: > + Recorded rate of a detected Slow POST attack. + + - name: client_reputation + type: keyword + description: > + Client IP scores for Client Reputation. + + - name: bot.score + type: long + description: > + Score assigned to the request by Botman Manager. + + - name: bot.response_segment + type: long + description: > + Numeric response segment indicator. Segments are used to group and categorize bot scores. + + - name: client_data.app_bundle_id + type: keyword + description: > + Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. + + - name: client_data.app_version + type: keyword + description: > + Version number of the app. + + - name: client_data.telemetry_type + type: long + description: > + Specifies the telemetry type in use. + + - name: client_data.sdk_version + type: keyword + description: > + SDK version + + - name: user_risk.uuid + type: keyword + description: > + Unique identifier of the user whose risk data is being provided. + + - name: user_risk.status + type: long + description: "Status code indicating any errors that might have occurred when calculating the risk score. \n" + - name: user_risk.score + type: long + description: > + Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). + + - name: user_risk.risk + type: flattened + description: > + Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. + + - name: user_risk.trust + type: flattened + description: > + Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. + + - name: user_risk.general + type: flattened + description: > + Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. + + - name: user_risk.allow + type: long + description: >- + Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. diff --git a/packages/akamai/2.1.2/data_stream/siem/manifest.yml b/packages/akamai/2.1.2/data_stream/siem/manifest.yml new file mode 100755 index 0000000000..29152e44f5 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/manifest.yml @@ -0,0 +1,105 @@ +type: logs +title: Akamai SIEM Logs +release: experimental +streams: + - input: httpjson + vars: + - name: api_host + type: text + title: API Host + description: API Hostname in the form of http(s)://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net without path + multi: false + required: true + show_user: true + default: https://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net + - name: client_token + type: text + title: Client Token + description: Client token provided by "Credentials" ui + multi: false + required: true + show_user: true + - name: client_secret + type: password + title: Client Secret + description: Client secret provided by "Credentials" ui + multi: false + required: true + show_user: true + - name: access_token + type: password + title: Access Token + description: Access token provided by "Authorizations" ui + multi: false + required: true + show_user: true + - name: config_ids + type: text + title: Zone ID + multi: false + required: true + show_user: true + description: Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons. ex. 12892;29182;82912 + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: true + default: 60s + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + description: Interval at which the logs will be pulled. The value must be between 2m and 1h. + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + description: Initial interval to poll for events. Default is 24 hours. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - akamai-siem + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" + template_path: httpjson.yml.hbs + title: Akamai SIEM logs + description: Collect Akamai logs via the SIEM API diff --git a/packages/akamai/2.1.2/data_stream/siem/sample_event.json b/packages/akamai/2.1.2/data_stream/siem/sample_event.json new file mode 100755 index 0000000000..470e3d3588 --- /dev/null +++ b/packages/akamai/2.1.2/data_stream/siem/sample_event.json @@ -0,0 +1,193 @@ +{ + "@timestamp": "2016-08-11T13:45:33.026Z", + "agent": { + "ephemeral_id": "e19b5d16-c564-495d-b698-c62518e5bd2d", + "id": "8f529f3f-731a-445a-be12-a74c00235b26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "akamai": { + "siem": { + "bot": { + "response_segment": 3, + "score": 100 + }, + "client_data": { + "app_bundle_id": "com.mydomain.myapp", + "app_version": "1.23", + "sdk_version": "4.7.1", + "telemetry_type": 2 + }, + "config_id": "6724", + "policy_id": "scoe_5426", + "request": { + "headers": { + "Accept": "text/html,application/xhtml xml", + "User-Agent": "BOT/0.1 (BOT for JCE)" + } + }, + "response": { + "headers": { + "Content-Type": "text/html", + "Mime-Version": "1.0", + "Server": "AkamaiGHost" + } + }, + "rule_actions": [ + "alert", + "deny" + ], + "rule_tags": [ + "web_attack/xss", + "automation/misc" + ], + "rules": [ + { + "ruleActions": "ALERT", + "ruleData": "alert(", + "ruleMessages": "Cross-site Scripting (XSS) Attack", + "ruleSelectors": "ARGS:a", + "ruleTags": "WEB_ATTACK/XSS", + "rules": "950004" + }, + { + "ruleActions": "DENY", + "ruleData": "curl", + "ruleMessages": "Request Indicates an automated program explored the site", + "ruleSelectors": "REQUEST_HEADERS:User-Agent", + "ruleTags": "AUTOMATION/MISC", + "rules": "990011" + } + ], + "user_risk": { + "allow": 0, + "general": { + "duc_1d": "30", + "duc_1h": "10" + }, + "risk": { + "udfp": "1325gdg4g4343g/M", + "unp": "74256/H" + }, + "score": 75, + "status": 0, + "trust": { + "ugp": "US" + }, + "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" + } + } + }, + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "data_stream": { + "dataset": "akamai.siem", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "8f529f3f-731a-445a-be12-a74c00235b26", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-07-18T23:04:41.747Z", + "dataset": "akamai.siem", + "id": "2ab418ac8515f33", + "ingested": "2022-07-18T23:04:42Z", + "kind": "event", + "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", + "start": "2016-08-11T13:45:33.026Z" + }, + "http": { + "request": { + "id": "2ab418ac8515f33", + "method": "POST" + }, + "response": { + "bytes": 34523, + "status_code": 301 + }, + "version": "2" + }, + "input": { + "type": "httpjson" + }, + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "akamai" + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "tags": [ + "akamai-siem", + "forwarded", + "preserve_original_event" + ], + "tls": { + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "domain": "www.example.com", + "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", + "path": "/examples/1/", + "port": 80, + "query": "a=../../../etc/passwd" + } +} \ No newline at end of file diff --git a/packages/akamai/2.1.2/docs/README.md b/packages/akamai/2.1.2/docs/README.md new file mode 100755 index 0000000000..fc80fcad9a --- /dev/null +++ b/packages/akamai/2.1.2/docs/README.md @@ -0,0 +1,333 @@ +# Akamai Integration + +The Akamai integration collects events from the Akamai API, specifically reading from the [Akamai SIEM API](https://techdocs.akamai.com/siem-integration/reference/api). + +## Logs + +### SIEM + +The Security Information and Event Management API allows you to capture security events generated on the ​Akamai​ platform in your SIEM application. + +Use this API to get security event data generated on the ​Akamai​ platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly. + +See [Akamai API get started](https://techdocs.akamai.com/siem-integration/reference/api-get-started) to set up your Akamai account and get your credentials. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| akamai.siem.bot.response_segment | Numeric response segment indicator. Segments are used to group and categorize bot scores. | long | +| akamai.siem.bot.score | Score assigned to the request by Botman Manager. | long | +| akamai.siem.client_data.app_bundle_id | Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. | keyword | +| akamai.siem.client_data.app_version | Version number of the app. | keyword | +| akamai.siem.client_data.sdk_version | SDK version | keyword | +| akamai.siem.client_data.telemetry_type | Specifies the telemetry type in use. | long | +| akamai.siem.client_reputation | Client IP scores for Client Reputation. | keyword | +| akamai.siem.config_id | ID of the Security Configuration applied to the request. | keyword | +| akamai.siem.policy_id | ID of the Firewall policy applied to the request. | keyword | +| akamai.siem.request.headers | HTTP Request headers | flattened | +| akamai.siem.response.headers | HTTP response headers | flattened | +| akamai.siem.rule_actions | Actions taken for this request. | keyword | +| akamai.siem.rule_tags | The set of categories for the triggered rule. | keyword | +| akamai.siem.rules | Rules triggered by this request | nested | +| akamai.siem.slow_post_action | Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). | keyword | +| akamai.siem.slow_post_rate | Recorded rate of a detected Slow POST attack. | long | +| akamai.siem.user_risk.allow | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. | long | +| akamai.siem.user_risk.general | Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. | flattened | +| akamai.siem.user_risk.risk | Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. | flattened | +| akamai.siem.user_risk.score | Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). | long | +| akamai.siem.user_risk.status | Status code indicating any errors that might have occurred when calculating the risk score. | long | +| akamai.siem.user_risk.trust | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. | flattened | +| akamai.siem.user_risk.uuid | Unique identifier of the user whose risk data is being provided. | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.username | Username of the request. | keyword | + + +An example event for `siem` looks as following: + +```json +{ + "@timestamp": "2016-08-11T13:45:33.026Z", + "agent": { + "ephemeral_id": "e19b5d16-c564-495d-b698-c62518e5bd2d", + "id": "8f529f3f-731a-445a-be12-a74c00235b26", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "akamai": { + "siem": { + "bot": { + "response_segment": 3, + "score": 100 + }, + "client_data": { + "app_bundle_id": "com.mydomain.myapp", + "app_version": "1.23", + "sdk_version": "4.7.1", + "telemetry_type": 2 + }, + "config_id": "6724", + "policy_id": "scoe_5426", + "request": { + "headers": { + "Accept": "text/html,application/xhtml xml", + "User-Agent": "BOT/0.1 (BOT for JCE)" + } + }, + "response": { + "headers": { + "Content-Type": "text/html", + "Mime-Version": "1.0", + "Server": "AkamaiGHost" + } + }, + "rule_actions": [ + "alert", + "deny" + ], + "rule_tags": [ + "web_attack/xss", + "automation/misc" + ], + "rules": [ + { + "ruleActions": "ALERT", + "ruleData": "alert(", + "ruleMessages": "Cross-site Scripting (XSS) Attack", + "ruleSelectors": "ARGS:a", + "ruleTags": "WEB_ATTACK/XSS", + "rules": "950004" + }, + { + "ruleActions": "DENY", + "ruleData": "curl", + "ruleMessages": "Request Indicates an automated program explored the site", + "ruleSelectors": "REQUEST_HEADERS:User-Agent", + "ruleTags": "AUTOMATION/MISC", + "rules": "990011" + } + ], + "user_risk": { + "allow": 0, + "general": { + "duc_1d": "30", + "duc_1h": "10" + }, + "risk": { + "udfp": "1325gdg4g4343g/M", + "unp": "74256/H" + }, + "score": 75, + "status": 0, + "trust": { + "ugp": "US" + }, + "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" + } + } + }, + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "data_stream": { + "dataset": "akamai.siem", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "8f529f3f-731a-445a-be12-a74c00235b26", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-07-18T23:04:41.747Z", + "dataset": "akamai.siem", + "id": "2ab418ac8515f33", + "ingested": "2022-07-18T23:04:42Z", + "kind": "event", + "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", + "start": "2016-08-11T13:45:33.026Z" + }, + "http": { + "request": { + "id": "2ab418ac8515f33", + "method": "POST" + }, + "response": { + "bytes": 34523, + "status_code": 301 + }, + "version": "2" + }, + "input": { + "type": "httpjson" + }, + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "akamai" + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "tags": [ + "akamai-siem", + "forwarded", + "preserve_original_event" + ], + "tls": { + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "domain": "www.example.com", + "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", + "path": "/examples/1/", + "port": 80, + "query": "a=../../../etc/passwd" + } +} +``` \ No newline at end of file diff --git a/packages/akamai/2.1.2/img/akamai_logo.svg b/packages/akamai/2.1.2/img/akamai_logo.svg new file mode 100755 index 0000000000..78cf6ad7e3 --- /dev/null +++ b/packages/akamai/2.1.2/img/akamai_logo.svg @@ -0,0 +1,151 @@ + + + +image/svg+xml \ No newline at end of file diff --git a/packages/akamai/2.1.2/kibana/dashboard/akamai-e7568320-066a-11ed-9f6c-cb8079f147f7.json b/packages/akamai/2.1.2/kibana/dashboard/akamai-e7568320-066a-11ed-9f6c-cb8079f147f7.json new file mode 100755 index 0000000000..be6200d28b --- /dev/null +++ b/packages/akamai/2.1.2/kibana/dashboard/akamai-e7568320-066a-11ed-9f6c-cb8079f147f7.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"da193144-a637-4245-82be-b4c206c68338\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"akamai.siem.rules.ruleTags\",\"title\":\"Akamai SIEM Rule Tags\",\"id\":\"da193144-a637-4245-82be-b4c206c68338\",\"selectedOptions\":[],\"enhancements\":{}}},\"29cb3921-4692-4779-a775-ec582885e7bb\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"akamai.siem.rules.ruleActions\",\"title\":\"Akamai SIEM Rule Actions\",\"id\":\"29cb3921-4692-4779-a775-ec582885e7bb\",\"enhancements\":{}}}}" + }, + "description": "Overview of Akamai SIEM events", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"akamai.siem\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"akamai.siem\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\":{\"columnOrder\":[\"05e4a9d5-f25d-4b06-8d60-0f6462e1fa1d\",\"6547e28e-d19e-443b-82e0-0fdfb4616b17\"],\"columns\":{\"05e4a9d5-f25d-4b06-8d60-0f6462e1fa1d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of akamai.siem.rule_tags\",\"operationType\":\"terms\",\"params\":{\"accuracyMode\":false,\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"akamai.siem.rule_tags\"},\"6547e28e-d19e-443b-82e0-0fdfb4616b17\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"akamai.siem\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"05e4a9d5-f25d-4b06-8d60-0f6462e1fa1d\"],\"layerId\":\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"256bd35d-3cea-4120-b3a4-27cd50f07aa3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"256bd35d-3cea-4120-b3a4-27cd50f07aa3\",\"title\":\"Rule Tags\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\":{\"columnOrder\":[\"05e4a9d5-f25d-4b06-8d60-0f6462e1fa1d\",\"6547e28e-d19e-443b-82e0-0fdfb4616b17\"],\"columns\":{\"05e4a9d5-f25d-4b06-8d60-0f6462e1fa1d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of akamai.siem.rule_actions\",\"operationType\":\"terms\",\"params\":{\"accuracyMode\":false,\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"akamai.siem.rule_actions\"},\"6547e28e-d19e-443b-82e0-0fdfb4616b17\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"akamai.siem\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"05e4a9d5-f25d-4b06-8d60-0f6462e1fa1d\"],\"layerId\":\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"bc61d3aa-5fd7-4d05-83a5-a362df834d27\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bc61d3aa-5fd7-4d05-83a5-a362df834d27\",\"title\":\"Rule Actions\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1a02de14-1ed4-4c49-8cfc-493cd846049a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1a02de14-1ed4-4c49-8cfc-493cd846049a\":{\"columnOrder\":[\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\",\"98abccc1-d255-44e6-b515-813580d245f7\"],\"columns\":{\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"98abccc1-d255-44e6-b515-813580d245f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"98abccc1-d255-44e6-b515-813580d245f7\"],\"layerId\":\"1a02de14-1ed4-4c49-8cfc-493cd846049a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"2a92ba28-401c-445d-bd11-b824a0645742\",\"w\":48,\"x\":0,\"y\":8},\"panelIndex\":\"2a92ba28-401c-445d-bd11-b824a0645742\",\"title\":\"Requests Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1a02de14-1ed4-4c49-8cfc-493cd846049a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1a02de14-1ed4-4c49-8cfc-493cd846049a\":{\"columnOrder\":[\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\",\"98abccc1-d255-44e6-b515-813580d245f7\",\"6eaa6283-4f15-421b-9165-c38422cd6287\"],\"columns\":{\"6eaa6283-4f15-421b-9165-c38422cd6287\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of http.response.bytes\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"http.response.bytes\"},\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"98abccc1-d255-44e6-b515-813580d245f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Moving average of Median of http.response.bytes\",\"operationType\":\"moving_average\",\"params\":{\"window\":5},\"references\":[\"6eaa6283-4f15-421b-9165-c38422cd6287\"],\"scale\":\"ratio\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"98abccc1-d255-44e6-b515-813580d245f7\"],\"layerId\":\"1a02de14-1ed4-4c49-8cfc-493cd846049a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"fc9bec32-2478-4e5f-bb13-aaf06398adf8\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"fc9bec32-2478-4e5f-bb13-aaf06398adf8\",\"title\":\"Response Bytes Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1a02de14-1ed4-4c49-8cfc-493cd846049a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1a02de14-1ed4-4c49-8cfc-493cd846049a\":{\"columnOrder\":[\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\",\"98abccc1-d255-44e6-b515-813580d245f7\",\"6eaa6283-4f15-421b-9165-c38422cd6287\"],\"columns\":{\"6eaa6283-4f15-421b-9165-c38422cd6287\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of akamai.siem.bot.score\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"akamai.siem.bot.score\"},\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"98abccc1-d255-44e6-b515-813580d245f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Moving average of Median of http.response.bytes\",\"operationType\":\"moving_average\",\"params\":{\"window\":5},\"references\":[\"6eaa6283-4f15-421b-9165-c38422cd6287\"],\"scale\":\"ratio\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"98abccc1-d255-44e6-b515-813580d245f7\"],\"layerId\":\"1a02de14-1ed4-4c49-8cfc-493cd846049a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"7d10a32e-04b7-4672-b955-ecd9edbe8a93\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f1d059ce-7994-41a3-a720-ba39c3ff96d0\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"f1d059ce-7994-41a3-a720-ba39c3ff96d0\",\"title\":\"Akamai Bot Score Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d9f915e1-d387-4b75-b012-2b6add732cab\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d9f915e1-d387-4b75-b012-2b6add732cab\":{\"columnOrder\":[\"ea4afa2f-9b7e-40af-b991-44b6f22d8263\",\"51f7ad49-4ec0-49be-8eca-45b16f75e032\"],\"columns\":{\"51f7ad49-4ec0-49be-8eca-45b16f75e032\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ea4afa2f-9b7e-40af-b991-44b6f22d8263\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"akamai.siem.user_risk.score\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"akamai.siem.user_risk.score\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"51f7ad49-4ec0-49be-8eca-45b16f75e032\"],\"layerId\":\"d9f915e1-d387-4b75-b012-2b6add732cab\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"ea4afa2f-9b7e-40af-b991-44b6f22d8263\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"f709b8b5-2287-4685-8534-36b839a2d698\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"f709b8b5-2287-4685-8534-36b839a2d698\",\"title\":\"User Risk Score\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d9f915e1-d387-4b75-b012-2b6add732cab\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d9f915e1-d387-4b75-b012-2b6add732cab\":{\"columnOrder\":[\"ea4afa2f-9b7e-40af-b991-44b6f22d8263\",\"51f7ad49-4ec0-49be-8eca-45b16f75e032\"],\"columns\":{\"51f7ad49-4ec0-49be-8eca-45b16f75e032\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ea4afa2f-9b7e-40af-b991-44b6f22d8263\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"akamai.siem.user_risk.status\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"akamai.siem.user_risk.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"51f7ad49-4ec0-49be-8eca-45b16f75e032\"],\"layerId\":\"d9f915e1-d387-4b75-b012-2b6add732cab\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"ea4afa2f-9b7e-40af-b991-44b6f22d8263\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"b9638e51-f009-4475-b1aa-4f10bbdea9e7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"b9638e51-f009-4475-b1aa-4f10bbdea9e7\",\"title\":\"User Risk Status\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8d358434-4b32-4866-a42c-0b497a6166f4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8d358434-4b32-4866-a42c-0b497a6166f4\":{\"columnOrder\":[\"8bd250cd-194b-4487-8b9a-b2623b9b75a7\",\"06b3caa1-f694-4814-b34e-aff127e4cd4b\"],\"columns\":{\"06b3caa1-f694-4814-b34e-aff127e4cd4b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"8bd250cd-194b-4487-8b9a-b2623b9b75a7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"06b3caa1-f694-4814-b34e-aff127e4cd4b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"akamai.siem\\\" \"},\"visualization\":{\"emsField\":\"iso2\",\"emsLayerId\":\"world_countries\",\"layerId\":\"8d358434-4b32-4866-a42c-0b497a6166f4\",\"regionAccessor\":\"8bd250cd-194b-4487-8b9a-b2623b9b75a7\",\"valueAccessor\":\"06b3caa1-f694-4814-b34e-aff127e4cd4b\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsChoropleth\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":30,\"i\":\"a0c366c4-a72a-4621-b6e5-b7f588459d66\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"a0c366c4-a72a-4621-b6e5-b7f588459d66\",\"title\":\"Source Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\":{\"columnOrder\":[\"73ee8ae6-1fa4-4809-978a-1aa966d79356\",\"6547e28e-d19e-443b-82e0-0fdfb4616b17\"],\"columns\":{\"6547e28e-d19e-443b-82e0-0fdfb4616b17\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"73ee8ae6-1fa4-4809-978a-1aa966d79356\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of url.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"akamai.siem\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"73ee8ae6-1fa4-4809-978a-1aa966d79356\"],\"layerId\":\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c9103a68-33ca-40a7-8a39-1e8f81c4a26c\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"c9103a68-33ca-40a7-8a39-1e8f81c4a26c\",\"title\":\"Top 10 URL Domains\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\":{\"columnOrder\":[\"73ee8ae6-1fa4-4809-978a-1aa966d79356\",\"6547e28e-d19e-443b-82e0-0fdfb4616b17\"],\"columns\":{\"6547e28e-d19e-443b-82e0-0fdfb4616b17\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"73ee8ae6-1fa4-4809-978a-1aa966d79356\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"akamai.siem\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"73ee8ae6-1fa4-4809-978a-1aa966d79356\"],\"layerId\":\"09506914-3b16-4dd3-a9d1-d17d5b08ee56\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6547e28e-d19e-443b-82e0-0fdfb4616b17\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c0e48432-edd2-4ac8-a6af-013796656aa4\",\"w\":24,\"x\":24,\"y\":59},\"panelIndex\":\"c0e48432-edd2-4ac8-a6af-013796656aa4\",\"title\":\"Top 10 Source County Codes\",\"type\":\"lens\",\"version\":\"8.3.2\"}]", + "timeRestore": false, + "title": "[Akamai SIEM] Akamai Overview", + "version": 1 + }, + "coreMigrationVersion": "8.3.2", + "id": "akamai-e7568320-066a-11ed-9f6c-cb8079f147f7", + "migrationVersion": { + "dashboard": "8.3.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "256bd35d-3cea-4120-b3a4-27cd50f07aa3:indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bc61d3aa-5fd7-4d05-83a5-a362df834d27:indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2a92ba28-401c-445d-bd11-b824a0645742:indexpattern-datasource-layer-1a02de14-1ed4-4c49-8cfc-493cd846049a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fc9bec32-2478-4e5f-bb13-aaf06398adf8:indexpattern-datasource-layer-1a02de14-1ed4-4c49-8cfc-493cd846049a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f1d059ce-7994-41a3-a720-ba39c3ff96d0:indexpattern-datasource-layer-1a02de14-1ed4-4c49-8cfc-493cd846049a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f709b8b5-2287-4685-8534-36b839a2d698:indexpattern-datasource-layer-d9f915e1-d387-4b75-b012-2b6add732cab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b9638e51-f009-4475-b1aa-4f10bbdea9e7:indexpattern-datasource-layer-d9f915e1-d387-4b75-b012-2b6add732cab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a0c366c4-a72a-4621-b6e5-b7f588459d66:indexpattern-datasource-layer-8d358434-4b32-4866-a42c-0b497a6166f4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9103a68-33ca-40a7-8a39-1e8f81c4a26c:indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c0e48432-edd2-4ac8-a6af-013796656aa4:indexpattern-datasource-layer-09506914-3b16-4dd3-a9d1-d17d5b08ee56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_da193144-a637-4245-82be-b4c206c68338:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_29cb3921-4692-4779-a775-ec582885e7bb:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/akamai/2.1.2/manifest.yml b/packages/akamai/2.1.2/manifest.yml new file mode 100755 index 0000000000..a76497c036 --- /dev/null +++ b/packages/akamai/2.1.2/manifest.yml @@ -0,0 +1,26 @@ +name: akamai +title: Akamai +version: "2.1.2" +release: ga +description: Collect logs from Akamai with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security, network, web, cloud] +conditions: + kibana.version: "^8.3.0" +icons: + - src: /img/akamai_logo.svg + title: Akamai + size: 409×167 + type: image/svg+xml +policy_templates: + - name: akamai + title: Akamai logs + description: Collect SIEM logs from Akamai + inputs: + - type: httpjson + title: "Collect Akamai SIEM logs via API" + description: "Collecting SIEM logs from Akamai via API" +owner: + github: elastic/security-external-integrations diff --git a/packages/auditd/3.3.4/LICENSE.txt b/packages/auditd/3.3.4/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/auditd/3.3.4/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/auditd/3.3.4/changelog.yml b/packages/auditd/3.3.4/changelog.yml new file mode 100755 index 0000000000..391e21dc07 --- /dev/null +++ b/packages/auditd/3.3.4/changelog.yml @@ -0,0 +1,160 @@ +# newer versions go on top +- version: "3.3.4" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "3.3.3" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "3.3.2" + changes: + - description: Remove unused visualizations + type: enhancement + link: https://github.com/elastic/integrations/issues/3975 +- version: "3.3.1" + changes: + - description: Add mapping for event.original. + type: bugfix + link: https://github.com/elastic/integrations/pull/4012 +- version: "3.3.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3841 +- version: "3.2.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "3.1.0" + changes: + - description: Change title to Auditd Logs + type: enhancement + link: https://github.com/elastic/integrations/pull/2763 +- version: "3.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3246 +- version: "2.2.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.1.2" + changes: + - description: Set event.outcome value according ECS specification + type: bugfix + link: https://github.com/elastic/integrations/pull/3079 +- version: "2.1.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.1.0" + changes: + - description: Store EXECVE arguments in process.args array. + type: enhancement + link: https://github.com/elastic/integrations/pull/2730 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2380 + - description: process.ppid is replaced with process.parent.pid (breaking change) + type: enhancement + link: https://github.com/elastic/integrations/pull/2380 +- version: "1.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.0" + changes: + - description: Change test IPs to the supported set for GeoIP + type: enhancement + link: https://github.com/elastic/integrations/pull/2215 + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2215 +- version: "1.2.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2002 +- version: "1.2.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1938 +- version: "1.2.2" + changes: + - description: Ensure boolean fields are true/false + type: bugfix + link: https://github.com/elastic/integrations/pull/1896 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1796 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1637 +- version: "1.1.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1464 +- version: '1.1.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1370 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1215 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1215 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and apply changes to prepare for package GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1031 +- version: "0.1.2" + changes: + - description: set version in the ingest pipeline and make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/989 +- version: "0.1.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/833 +- version: "0.1.0" + changes: + - description: Add changes to use ECS 1.8 fields. + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/715 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/396 diff --git a/packages/auditd/3.3.4/data_stream/log/agent/stream/log.yml.hbs b/packages/auditd/3.3.4/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..c6e5ed4c73 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +exclude_files: [".gz$"] +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/auditd/3.3.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/auditd/3.3.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..615c251902 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2243 @@ +--- +description: Pipeline for parsing Linux auditd logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_failure: true + - grok: + field: event.original + pattern_definitions: + AUDIT_TYPE: "type=%{NOTSPACE:auditd.log.record_type}" + AUDIT_NODE: "node=%{IPORHOST:auditd.log.node} " + AUDIT_PREFIX: "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" + AUDIT_KEY_VALUES: "%{WORD}=%{GREEDYDATA}" + ANY: ".*" + patterns: + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} + new auid=%{NUMBER:auditd.log.new_auid} old ses=%{NUMBER:auditd.log.old_ses} + new ses=%{NUMBER:auditd.log.new_ses}" + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg=['\"]([^=]*\\s)?%{ANY:auditd.log.sub_kv}['\"]" + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}" + - "%{AUDIT_PREFIX}" + - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}" + - kv: + field: auditd.log.kv + field_split: "\\s+" + value_split: "=" + target_field: auditd.log + - kv: + field: auditd.log.sub_kv + field_split: "\\s+(?=[^\\s]+=)" + value_split: "=" + target_field: auditd.log + ignore_missing: true + - date: + field: auditd.log.epoch + target_field: "@timestamp" + formats: + - UNIX + ignore_failure: true + - rename: + ignore_failure: true + field: auditd.log.old-auid + target_field: auditd.log.old_auid + - rename: + ignore_failure: true + field: auditd.log.old-ses + target_field: auditd.log.old_ses + - script: + lang: painless + source: | + String trimQuotes(def singleQuote, def doubleQuote, def v) { + if (v.startsWith(singleQuote) || v.startsWith(doubleQuote)) { + v = v.substring(1, v.length()); + } + if (v.endsWith(singleQuote) || v.endsWith(doubleQuote)) { + v = v.substring(0, v.length()-1); + } + return v; + } + + boolean isHexAscii(String v) { + def len = v.length(); + + if (len == 0 || len % 2 != 0) { + return false; + } + + for (int i = 0 ; i < len ; i++) { + if (Character.digit(v.charAt(i), 16) == -1) { + return false; + } + } + return true; + } + + String convertHexToString(String hex) { + StringBuilder sb = new StringBuilder(); + boolean needed_encoding = false; + + for (int i=0; i < hex.length() - 1; i+=2) { + int cp = Integer.parseInt(hex.substring(i, (i +2)), 16); + if (cp < 33 || cp == 34 || cp == 127) { + needed_encoding = true; + } + if (cp < 32 || cp == 127) { + sb.append('^'); + cp ^= 64; + } + sb.append((char)cp); + } + if (needed_encoding) { + return sb.toString(); + } + return hex; + } + + Boolean convertStringToBoolean(String value) { + value = value.toLowerCase(); + return value == "yes" || value == "true" || value == "1"; + } + + def possibleHexKeys = ["exe", "cmd", "data", "path", "comm", "file", "name", "watch", "cwd", "acct", "dir", "vm", "old-chardev", "new-chardev", "old-disk", "new-disk", "old-fs", "new-fs", "old-net", "new-net", "device", "cgroup", "apparmor", "operation", "denied_mask", "info", "profile", "requested_mask", "old-rng", "new-rng", "ocomm", "grp", "new_group", "invalid_context", "sw", "root_dir", "proctitle"]; + def possibleBooleanKeys = ["success", "key_enforce"]; + def audit = ctx.auditd.get("log"); + Iterator entries = audit.entrySet().iterator(); + + while (entries.hasNext()) { + def e = entries.next(); + def k = e.getKey(); + def v = e.getValue(); + + // Remove entries whose value is ? + if (v == "?" || v == "(null)" || v == "") { + entries.remove(); + continue; + } + + // Convert hex values to ASCII. + if (possibleHexKeys.contains(k) && isHexAscii(v)) { + v = convertHexToString(v); + audit.put(k, v); + } + + // Convert string values to boolean. + if (possibleBooleanKeys.contains(k) && v instanceof String) { + v = convertStringToBoolean(v); + audit.put(k, v); + } + + // Trim quotes. + if (v instanceof String) { + v = trimQuotes(params.single_quote, params.double_quote, v); + audit.put(k, v); + } + + // Convert arch. + if (k == "arch" && v == "c000003e") { + audit.put(k, "x86_64"); + } + } + params: + single_quote: "'" + double_quote: "\"" + - convert: + field: auditd.log.sequence + type: long + ignore_missing: true + - convert: + field: auditd.log.lport + type: long + ignore_missing: true + - convert: + field: auditd.log.rport + type: long + ignore_missing: true + - convert: + field: auditd.log.entries + type: long + ignore_missing: true + - convert: + field: auditd.log.dst_prefixlen + type: long + ignore_missing: true + - convert: + field: auditd.log.ksize + type: long + ignore_missing: true + - convert: + field: auditd.log.size + type: long + ignore_missing: true + - convert: + field: auditd.log.src_prefixlen + type: long + ignore_missing: true + - set: + field: event.kind + value: event + - script: + lang: painless + ignore_failure: true + # Auditd record type to ECS mappings + # AUTOGENERATED FROM go-libaudit v2.2.0, DO NOT EDIT + params: + syscalls: + '*': + - event: + category: + - process + type: + - info + accept: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + accept4: + - event: + action: + - accepted-connection-from + category: + - network + type: + - connection + - start + access: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + adjtimex: + - event: + action: + - changed-system-time + category: + - host + type: + - change + bind: + - event: + action: + - bound-socket + category: + - network + type: + - start + brk: + - event: + action: + - allocated-memory + category: + - process + type: + - info + chmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + chown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + clock_settime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + connect: + - event: + action: + - connected-to + category: + - network + type: + - connection + - start + creat: + - event: + action: + - opened-file + category: + - file + type: + - creation + delete_module: + - event: + action: + - unloaded-kernel-module + category: + - driver + type: + - end + execve: + - event: + action: + - executed + category: + - process + type: + - start + execveat: + - event: + action: + - executed + category: + - process + type: + - start + faccessat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fallocate: + - event: + action: + - opened-file + category: + - file + type: + - change + fchmod: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchmodat: + - event: + action: + - changed-file-permissions-of + category: + - file + type: + - change + fchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fchownat: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + fgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + finit_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + fremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + fstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + fstatfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + ftruncate: + - event: + action: + - opened-file + category: + - file + type: + - change + futimens: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + futimesat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + getxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + init_module: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + kill: + - event: + action: + - killed-pid + category: + - process + type: + - end + lchown: + - event: + action: + - changed-file-ownership-of + category: + - file + type: + - change + lgetxattr: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + listen: + - event: + action: + - listen-for-connections + category: + - network + type: + - start + lremovexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lsetxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + lstat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + mkdir: + - event: + action: + - created-directory + category: + - file + type: + - creation + mkdirat: + - event: + action: + - created-directory + category: + - file + type: + - creation + mknod: + - event: + action: + - make-device + category: + - file + type: + - creation + mknodat: + - event: + action: + - make-device + category: + - file + type: + - creation + mmap: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mmap2: + - event: + action: + - allocated-memory + category: + - process + type: + - info + mount: + - event: + action: + - mounted + category: + - file + type: + - creation + newfstatat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + open: + - event: + action: + - opened-file + category: + - file + type: + - info + openat: + - event: + action: + - opened-file + category: + - file + type: + - info + read: + - event: + action: + - read-file + category: + - file + type: + - info + readlink: + - event: + action: + - opened-file + category: + - file + type: + - info + readlinkat: + - event: + action: + - opened-file + category: + - file + type: + - info + recv: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvfrom: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + recvmsg: + - event: + action: + - received-from + category: + - network + type: + - connection + - info + removexattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + rename: + - event: + action: + - renamed + category: + - file + type: + - change + renameat: + - event: + action: + - renamed + category: + - file + type: + - change + renameat2: + - event: + action: + - renamed + category: + - file + type: + - change + rmdir: + - event: + action: + - deleted + category: + - file + type: + - deletion + sched_setattr: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setparam: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + sched_setscheduler: + - event: + action: + - adjusted-scheduling-policy-of + category: + - process + type: + - change + send: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendmsg: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + sendto: + - event: + action: + - sent-to + category: + - network + type: + - connection + - info + setdomainname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setegid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + seteuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setfsuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + sethostname: + - event: + action: + - changed-system-name + category: + - host + type: + - change + setregid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresgid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setresuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setreuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + settimeofday: + - event: + action: + - changed-system-time + category: + - host + type: + - change + setuid: + - event: + action: + - changed-identity-of + category: + - process + type: + - change + setxattr: + - event: + action: + - changed-file-attributes-of + category: + - file + type: + - change + stat: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + stat64: + - event: + action: + - checked-metadata-of + category: + - file + type: + - info + statfs: + - event: + action: + - checked-filesystem-metadata-of + category: + - file + type: + - info + stime: + - event: + action: + - changed-system-time + category: + - host + type: + - change + symlink: + - event: + action: + - symlinked + category: + - file + type: + - creation + symlinkat: + - event: + action: + - symlinked + category: + - file + type: + - creation + tgkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + tkill: + - event: + action: + - killed-pid + category: + - process + type: + - end + truncate: + - event: + action: + - opened-file + category: + - file + type: + - change + umount: + - event: + action: + - unmounted + category: + - file + type: + - deletion + umount2: + - event: + action: + - unmounted + category: + - file + type: + - deletion + unlink: + - event: + action: + - deleted + category: + - file + type: + - deletion + unlinkat: + - event: + action: + - deleted + category: + - file + type: + - deletion + utime: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimensat: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + utimes: + - event: + action: + - changed-timestamp-of + category: + - file + type: + - info + write: + - event: + action: + - wrote-to-file + category: + - file + type: + - change + types: + ACCT_LOCK: + - event: + action: + - locked-account + category: + - iam + type: + - user + - info + ACCT_UNLOCK: + - event: + action: + - unlocked-account + category: + - iam + type: + - user + - info + ADD_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - added-group-account-to + category: + - iam + type: + - group + - creation + ADD_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - added-user-account + category: + - iam + type: + - user + - creation + ANOM_ABEND: + - event: + action: + - crashed-program + category: + - process + type: + - end + ANOM_EXEC: + - event: + action: + - attempted-execution-of-forbidden-program + category: + - process + type: + - start + ANOM_LINK: + - event: + action: + - used-suspicious-link + ANOM_LOGIN_FAILURES: + - event: + action: + - failed-log-in-too-many-times-to + ANOM_LOGIN_LOCATION: + - event: + action: + - attempted-log-in-from-unusual-place-to + ANOM_LOGIN_SESSIONS: + - event: + action: + - opened-too-many-sessions-to + ANOM_LOGIN_TIME: + - event: + action: + - attempted-log-in-during-unusual-hour-to + ANOM_PROMISCUOUS: + - event: + action: + - changed-promiscuous-mode-on-device + ANOM_RBAC_INTEGRITY_FAIL: + - event: + action: + - tested-file-system-integrity-of + AVC: + - event: + action: + - violated-selinux-policy + has_fields: + - seresult + - event: + action: + - violated-apparmor-policy + has_fields: + - apparmor + CHGRP_ID: + - event: + action: + - changed-group + category: + - process + type: + - change + CHUSER_ID: + - event: + action: + - changed-user-id + category: + - process + type: + - change + CONFIG_CHANGE: + - event: + action: + - changed-audit-configuration + category: + - process + - configuration + type: + - change + CRED_ACQ: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - acquired-credentials + category: + - authentication + type: + - info + CRED_DISP: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - disposed-credentials + category: + - authentication + type: + - info + CRED_REFR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - refreshed-credentials + category: + - authentication + type: + - info + CRYPTO_KEY_USER: + - event: + action: + - negotiated-crypto-key + category: + - process + type: + - info + CRYPTO_LOGIN: + - event: + action: + - crypto-officer-logged-in + CRYPTO_LOGOUT: + - event: + action: + - crypto-officer-logged-out + category: + - process + type: + - info + CRYPTO_SESSION: + - event: + action: + - started-crypto-session + category: + - process + type: + - info + DAC_CHECK: + - event: + action: + - access-result + DAEMON_ABORT: + - event: + action: + - aborted-auditd-startup + category: + - process + type: + - stop + DAEMON_ACCEPT: + - event: + action: + - remote-audit-connected + category: + - network + type: + - connection + - start + DAEMON_CLOSE: + - event: + action: + - remote-audit-disconnected + category: + - network + type: + - connection + - start + DAEMON_CONFIG: + - event: + action: + - changed-auditd-configuration + category: + - process + - configuration + type: + - change + DAEMON_END: + - event: + action: + - shutdown-audit + category: + - process + type: + - stop + DAEMON_ERR: + - event: + action: + - audit-error + category: + - process + type: + - info + DAEMON_RECONFIG: + - event: + action: + - reconfigured-auditd + category: + - process + - configuration + type: + - info + DAEMON_RESUME: + - event: + action: + - resumed-audit-logging + category: + - process + type: + - change + DAEMON_ROTATE: + - event: + action: + - rotated-audit-logs + category: + - process + type: + - change + DAEMON_START: + - event: + action: + - started-audit + category: + - process + type: + - start + DEL_GROUP: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: group + event: + action: + - deleted-group-account-from + category: + - iam + type: + - group + - deletion + DEL_USER: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - id + - acct + to: user.target + event: + action: + - deleted-user-account + category: + - iam + type: + - user + - deletion + FEATURE_CHANGE: + - event: + action: + - changed-audit-feature + category: + - configuration + type: + - change + FS_RELABEL: + - event: + action: + - relabeled-filesystem + GRP_AUTH: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + event: + action: + - authenticated-to-group + category: + - authentication + type: + - info + GRP_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: group + event: + action: + - changed-group-password + category: + - iam + type: + - group + - change + GRP_MGMT: + - copy: + - from: + - auid + to: user + - from: + - uid + to: group + - from: + - uid + to: user.effective + event: + action: + - modified-group-account + category: + - iam + type: + - group + - change + KERNEL: + - event: + action: + - initialized-audit-subsystem + category: + - process + type: + - info + KERN_MODULE: + - event: + action: + - loaded-kernel-module + category: + - driver + type: + - start + LABEL_LEVEL_CHANGE: + - event: + action: + - modified-level-of + LABEL_OVERRIDE: + - event: + action: + - overrode-label-of + LOGIN: + - copy: + - from: + - old_auid + - old-auid + to: user + - from: + - new-auid + - new_auid + - auid + to: user.effective + event: + action: + - changed-login-id-to + category: + - authentication + type: + - start + MAC_CHECK: + - event: + action: + - mac-permission + MAC_CONFIG_CHANGE: + - event: + action: + - changed-selinux-boolean + category: + - configuration + type: + - change + MAC_POLICY_LOAD: + - event: + action: + - loaded-selinux-policy + category: + - configuration + type: + - access + MAC_STATUS: + - event: + action: + - changed-selinux-enforcement + category: + - configuration + type: + - change + NETFILTER_CFG: + - event: + action: + - loaded-firewall-rule-to + category: + - configuration + type: + - change + ROLE_ASSIGN: + - event: + action: + - assigned-user-role-to + category: + - iam + type: + - user + - change + ROLE_MODIFY: + - event: + action: + - modified-role + category: + - iam + type: + - change + ROLE_REMOVE: + - event: + action: + - removed-user-role-from + category: + - iam + type: + - user + - change + SECCOMP: + - event: + action: + - violated-seccomp-policy + SELINUX_ERR: + - event: + action: + - caused-mac-policy-error + SERVICE_START: + - event: + action: + - started-service + category: + - process + type: + - start + SERVICE_STOP: + - event: + action: + - stopped-service + category: + - process + type: + - stop + SOFTWARE_UPDATE: + - event: + action: + - package-updated + category: + - package + type: + - info + SYSTEM_BOOT: + - event: + action: + - booted-system + category: + - host + type: + - start + SYSTEM_RUNLEVEL: + - event: + action: + - changed-to-runlevel + category: + - host + type: + - change + SYSTEM_SHUTDOWN: + - event: + action: + - shutdown-system + category: + - host + type: + - end + TEST: + - event: + action: + - sent-test + category: + - process + type: + - info + TRUSTED_APP: + - event: + action: + - unknown + category: + - process + type: + - info + TTY: + - event: + action: + - typed + USER: + - event: + action: + - sent-message + USER_ACCT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - was-authorized + category: + - authentication + type: + - info + USER_AUTH: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - authenticated + category: + - authentication + type: + - info + USER_AVC: + - event: + action: + - access-permission + USER_CHAUTHTOK: + - copy: + - from: + - auid + to: user + - from: + - uid + to: user.effective + - from: + - acct + - id + - uid + to: user.target + event: + action: + - changed-password + category: + - iam + type: + - user + - change + USER_CMD: + - event: + action: + - ran-command + category: + - process + type: + - start + USER_END: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - ended-session + category: + - session + type: + - end + USER_ERR: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - error + category: + - authentication + type: + - info + USER_LOGIN: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-in + category: + - authentication + type: + - start + USER_LOGOUT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - logged-out + category: + - authentication + type: + - end + USER_MAC_CONFIG_CHANGE: + - event: + action: + - changed-mac-configuration + category: + - configuration + type: + - change + USER_MAC_POLICY_LOAD: + - event: + action: + - loaded-mac-policy + category: + - configuration + type: + - access + USER_MGMT: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.target + - from: + - uid + to: user.effective + event: + action: + - modified-user-account + category: + - iam + type: + - user + - change + USER_ROLE_CHANGE: + - event: + action: + - changed-role-to + USER_SELINUX_ERR: + - event: + action: + - access-error + USER_START: + - copy: + - from: + - auid + to: user + - from: + - acct + - id + - uid + to: user.effective + event: + action: + - started-session + category: + - session + type: + - start + USER_TTY: + - event: + action: + - typed + USYS_CONFIG: + - event: + action: + - changed-configuration + category: + - configuration + type: + - change + VIRT_CONTROL: + - event: + action: + - issued-vm-control + category: + - host + type: + - info + VIRT_CREATE: + - event: + action: + - created-vm-image + category: + - host + type: + - info + VIRT_DESTROY: + - event: + action: + - deleted-vm-image + category: + - host + type: + - info + VIRT_INTEGRITY_CHECK: + - event: + action: + - checked-integrity-of + category: + - host + type: + - info + VIRT_MACHINE_ID: + - event: + action: + - assigned-vm-id + category: + - host + type: + - info + VIRT_MIGRATE_IN: + - event: + action: + - migrated-vm-from + category: + - host + type: + - info + VIRT_MIGRATE_OUT: + - event: + action: + - migrated-vm-to + category: + - host + type: + - info + VIRT_RESOURCE: + - event: + action: + - assigned-vm-resource + category: + - host + type: + - info + # END OF AUTOGENERATED + source: >- + boolean hasFields(HashMap base, def list) { + if (list == null) return true; + for (int i=0; i ctx.event[k] = v); + } + if (act?.copy != null) { + List lst = new ArrayList(); + for(int i=0; i 0) { + ctx.auditd.log["copy"] = lst; + } + } + - foreach: + field: auditd.log.copy + ignore_missing: true + processor: + set: + field: "{{_ingest._value.target}}" + value: "{{_ingest._value.value}}" + - set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category + value: host + - set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.type + value: info + - set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category + value: process + - set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: event.category + value: host + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'start'" + field: event.type + value: start + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'stop'" + field: event.type + value: end + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'create'" + field: event.type + value: creation + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'delete'" + field: event.type + value: deletion + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: event.type + value: creation + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: container.name + value: "{{ auditd.log.vm }}" + ignore_empty_value: true + - set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: container.runtime + value: "{{ auditd.log.virt }}" + ignore_empty_value: true + - set: + if: > + ctx.auditd.log?.record_type == 'SYSCALL' && ( + ctx.auditd.log?.syscall == 'accept' || ctx.auditd.log?.syscall == '43' || + ctx.auditd.log?.syscall == 'recvfrom' || ctx.auditd.log?.syscall == '45' || + ctx.auditd.log?.syscall == 'recvmsg' || ctx.auditd.log?.syscall == '47' || + ctx.auditd.log?.syscall == 'accept4' || ctx.auditd.log?.syscall == '288' ) + field: network.direction + value: ingress + - set: + if: > + ctx.auditd.log?.record_type == 'SYSCALL' && ( + ctx.auditd.log?.syscall == 'connect' || ctx.auditd.log?.syscall == '42' || + ctx.auditd.log?.syscall == 'sendto' || ctx.auditd.log?.syscall == '44' || + ctx.auditd.log?.syscall == 'sendmsg' || ctx.auditd.log?.syscall == '46') + field: network.direction + value: egress + - set: + copy_from: auditd.log.arch + field: host.architecture + if: ctx.auditd.log?.arch != null + - rename: + ignore_failure: true + field: auditd.log.acct + target_field: user.name + - rename: + ignore_failure: true + field: auditd.log.user + target_field: user.name + - rename: + ignore_failure: true + field: auditd.log.uid + target_field: user.id + - rename: + ignore_failure: true + field: auditd.log.gid + target_field: user.group.id + - rename: + ignore_failure: true + field: auditd.log.agid + target_field: user.audit.group.id + - rename: + ignore_failure: true + field: auditd.log.auid + target_field: user.audit.id + - rename: + ignore_failure: true + field: auditd.log.fsgid + target_field: user.filesystem.group.id + - rename: + ignore_failure: true + field: auditd.log.fsuid + target_field: user.filesystem.id + - rename: + ignore_failure: true + field: auditd.log.egid + target_field: user.effective.group.id + - rename: + ignore_failure: true + field: auditd.log.euid + target_field: user.effective.id + - rename: + ignore_failure: true + field: auditd.log.sgid + target_field: user.saved.group.id + - rename: + ignore_failure: true + field: auditd.log.suid + target_field: user.saved.id + - rename: + ignore_failure: true + field: auditd.log.ogid + target_field: user.owner.group.id + - rename: + ignore_failure: true + field: auditd.log.ouid + target_field: user.owner.id + - rename: + ignore_failure: true + field: auditd.log.comm + target_field: process.name + - rename: + ignore_failure: true + field: auditd.log.exe + target_field: process.executable + - rename: + ignore_failure: true + field: auditd.log.pid + target_field: process.pid + - rename: + ignore_failure: true + field: auditd.log.ppid + target_field: process.parent.pid + - convert: + ignore_missing: true + field: process.pid + type: long + - convert: + ignore_missing: true + field: process.parent.pid + type: long + - rename: + ignore_failure: true + field: auditd.log.cmd + target_field: process.args + - split: + ignore_failure: true + field: process.args + separator: "\\s+" + - rename: + ignore_failure: true + field: auditd.log.argc + target_field: process.args_count + - script: + if: "ctx?.process?.args != null" + lang: painless + source: >- + if (ctx.process.args instanceof List) { + ctx.process.args_count = ctx.process.args.length; + } + - convert: + ignore_missing: true + field: process.args_count + type: long + - rename: + ignore_failure: true + field: auditd.log.exit + target_field: process.exit_code + - convert: + ignore_missing: true + field: process.exit_code + type: long + - rename: + ignore_missing: true + field: auditd.log.cwd + target_field: process.working_directory + - rename: + ignore_failure: true + field: auditd.log.terminal + target_field: user.terminal + - rename: + ignore_failure: true + field: auditd.log.msg + target_field: message + - set: + if: (ctx?.auditd?.log?.res != null && ["1", "success"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "success" + ignore_failure: true + - set: + if: (ctx?.auditd?.log?.res != null && ["0", "failed"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "failure" + ignore_failure: true + - set: + if: (ctx?.auditd?.log?.res != null && !["0", "1", "success", "failed"].contains(ctx.auditd.log.res)) + field: event.outcome + value: "unknown" + ignore_failure: true + # The processor below populates process.args list from argN fields. + # + # It handles the common case of a complete record: Contains argc=N and a0 to aN-1, + # and the truncated case: Contains aI, aI+1, ..., aN-1, for I>0, and no argc. + - script: + lang: painless + description: Extracts process arguments from EXECVE calls. + if: 'ctx.auditd?.log?.record_type == "EXECVE"' + source: >- + /* Want to capture all aNN fields, including aN_len and aN[x] */ + Pattern argRegex = /^a([0-9]+)(.*)$/; + + List keys = ctx.auditd.log.keySet().stream() + /* From List of keys to list of matchers */ + .map(x -> argRegex.matcher(x)) + /* Drop elements that didn't match the regex */ + .filter(x -> x.matches()) + /* Must save to a list because it needs to remove keys in auditd.log, + which cannot be done while streaming from this source */ + .collect(Collectors.toList()); + + List args = keys.stream() + /* List to List<[Matcher, Value for given key]> + with side effect of removing the key */ + .map(x -> [x, ctx.auditd.log.remove(x.group(0))]) + /* Drop elements that end in _len, just wanted to remove them */ + .filter(x -> x[0].group(2) != "_len") + /* List to List<[Int, Value]> + where the Int is the argument index */ + .map(x -> [Integer.parseInt(x[0].group(1)), x[1]]) + /* Sort by numeric argument index */ + .sorted((lhs, rhs) -> lhs[0].compareTo(rhs[0])) + /* Save as List<[Index, Value]> */ + .collect(Collectors.toList()); + + if (args.isEmpty()) return; + if (ctx.process == null) ctx.process = new HashMap(); + ctx.process.args = args.stream().map(x -> x[1]).collect(Collectors.toList()); + def firstIndex = args[0][0]; + if (firstIndex == 0) { + ctx.process.executable = ctx.process.args[0]; + } else { + ctx.process.args.add(0, "[... " + firstIndex + " truncated arguments ...]"); + } + on_failure: + - append: + field: error.message + value: "failed extracting process arguments: {{{ _ingest.on_failure_message }}}" + - rename: + ignore_failure: true + field: auditd.log.record_type + target_field: event.action + - lowercase: + ignore_failure: true + field: event.action + - rename: + ignore_failure: true + field: auditd.log.src + target_field: source.address + - rename: + ignore_failure: true + field: auditd.log.addr + target_field: source.address + if: ctx?.source?.address == null + - rename: + ignore_failure: true + field: auditd.log.dst + target_field: destination.address + - grok: + field: source.address + patterns: + - "^%{IP:source.ip}$" + ignore_failure: true + - geoip: + field: source.ip + target_field: source.geo + ignore_failure: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: + - auditd.log.kv + - auditd.log.sub_kv + - auditd.log.epoch + - auditd.log.copy + - auditd.log.arch + - auditd.log.res + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/auditd/3.3.4/data_stream/log/fields/agent.yml b/packages/auditd/3.3.4/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..f027c185f4 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/fields/agent.yml @@ -0,0 +1,193 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/auditd/3.3.4/data_stream/log/fields/base-fields.yml b/packages/auditd/3.3.4/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..5e4ff67d8d --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/fields/base-fields.yml @@ -0,0 +1,25 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: auditd +- name: event.dataset + type: constant_keyword + description: Event dataset + value: auditd.log +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/auditd/3.3.4/data_stream/log/fields/ecs.yml b/packages/auditd/3.3.4/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..e0b5c13617 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/fields/ecs.yml @@ -0,0 +1,195 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + normalize: + - array + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Unique identifier for the group on the system/platform. + name: user.effective.group.id + type: keyword +- description: Name of the group. + name: user.effective.group.name + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/auditd/3.3.4/data_stream/log/fields/fields.yml b/packages/auditd/3.3.4/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..4bc1b3ac81 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/fields/fields.yml @@ -0,0 +1,182 @@ +- name: auditd.log + type: group + default_field: false + fields: + - name: old_auid + type: keyword + description: | + For login events this is the old audit ID used for the user prior to this login. + - name: new_auid + type: keyword + description: | + For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). + - name: old_ses + type: keyword + description: | + For login events this is the old session ID used for the user prior to this login. + - name: new_ses + type: keyword + description: | + For login events this is the new session ID. It can be used to tie a user to future events by session ID. + - name: sequence + type: long + description: | + The audit event sequence number. + - name: items + type: keyword + description: | + The number of items in an event. + - name: item + type: keyword + description: | + The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. + - name: tty + type: keyword + - name: a0 + type: keyword + description: | + The first argument to the system call. + - name: addr + type: ip + - name: rport + type: long + - name: laddr + type: ip + - name: lport + type: long + - name: entries + type: long + - name: audit_failure + type: keyword + - name: cipher + type: keyword + - name: data + type: keyword + - name: dev + type: keyword + - name: fe + type: keyword + - name: fi + type: keyword + - name: fp + type: keyword + - name: format + type: keyword + - name: default-context + type: keyword + - name: direction + type: keyword + - name: dst_prefixlen + type: long + - name: family + type: keyword + - name: fver + type: keyword + - name: gpg_res + type: keyword + - name: hostname + type: keyword + - name: id + type: keyword + - name: inode + type: keyword + - name: kernel + type: keyword + - name: key_enforce + type: boolean + - name: img-ctx + type: keyword + - name: kind + type: keyword + - name: ksize + type: long + - name: list + type: keyword + - name: major + type: keyword + - name: minor + type: keyword + - name: mode + type: keyword + - name: model + type: keyword + - name: name + type: keyword + - name: new-level + type: keyword + - name: new_pe + type: keyword + - name: new_pi + type: keyword + - name: new_pp + type: keyword + - name: old-level + type: keyword + - name: old_pe + type: keyword + - name: old_pi + type: keyword + - name: old_pp + type: keyword + - name: node + type: keyword + - name: obj + type: keyword + - name: objtype + type: keyword + - name: old + type: keyword + - name: op + type: keyword + - name: pfs + type: keyword + - name: proctitle + type: keyword + - name: rdev + type: keyword + - name: reason + type: keyword + - name: root_dir + type: keyword + - name: saddr + type: keyword + - name: selected-context + type: keyword + - name: ses + type: keyword + - name: spid + type: keyword + - name: src_prefixlen + type: long + - name: subj + type: keyword + - name: success + type: boolean + - name: sw + type: keyword + - name: sw_type + type: keyword + - name: syscall + type: keyword + - name: table + type: keyword + - name: unit + type: keyword + - name: uuid + type: keyword + - name: ver + type: keyword + - name: virt + type: keyword + - name: vm + type: keyword + - name: vm-ctx + type: keyword + - name: geoip + type: group + - name: uid + type: keyword + - name: record_type + type: keyword + - name: reset + type: keyword diff --git a/packages/auditd/3.3.4/data_stream/log/fields/package-fields.yml b/packages/auditd/3.3.4/data_stream/log/fields/package-fields.yml new file mode 100755 index 0000000000..412bf41bb1 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/fields/package-fields.yml @@ -0,0 +1,85 @@ +- name: user + type: group + fields: + - name: terminal + type: keyword + description: | + Terminal or tty device on which the user is performing the observed activity. + - name: audit + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: filesystem + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: owner + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. + - name: saved + type: group + fields: + - name: id + type: keyword + description: | + One or multiple unique identifiers of the user. + - name: name + type: keyword + description: | + Short name or login of the user. + - name: group.id + type: keyword + description: | + Unique identifier for the group on the system/platform. + - name: group.name + type: keyword + description: | + Name of the group. +- name: auditd + type: group diff --git a/packages/auditd/3.3.4/data_stream/log/manifest.yml b/packages/auditd/3.3.4/data_stream/log/manifest.yml new file mode 100755 index 0000000000..285926867f --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/manifest.yml @@ -0,0 +1,41 @@ +type: logs +title: Auditd logs +streams: + - input: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/audit/audit.log* + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - auditd-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Auditd logs + description: Collect Auditd logs using log input diff --git a/packages/auditd/3.3.4/data_stream/log/sample_event.json b/packages/auditd/3.3.4/data_stream/log/sample_event.json new file mode 100755 index 0000000000..ca16d5db80 --- /dev/null +++ b/packages/auditd/3.3.4/data_stream/log/sample_event.json @@ -0,0 +1,70 @@ +{ + "@timestamp": "2016-01-03T00:37:51.394Z", + "agent": { + "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772", + "hostname": "docker-fleet-agent", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "auditd": { + "log": { + "proctitle": "bash", + "sequence": 194438 + } + }, + "data_stream": { + "dataset": "auditd.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "proctitle", + "agent_id_status": "verified", + "dataset": "auditd.log", + "ingested": "2022-04-13T05:23:36Z", + "kind": "event" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "172.19.0.7" + ], + "mac": [ + "02:42:ac:13:00:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/audit.log" + }, + "offset": 1706 + }, + "tags": [ + "auditd-log" + ] +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/docs/README.md b/packages/auditd/3.3.4/docs/README.md new file mode 100755 index 0000000000..cbc0c59041 --- /dev/null +++ b/packages/auditd/3.3.4/docs/README.md @@ -0,0 +1,278 @@ +# Auditd Logs Integration + +The Auditd Logs integration collects and parses logs from the audit daemon (`auditd`). + +## Compatibility + +The integration was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7. + +This integration is not available for Windows. + +## Auditd Logs + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2016-01-03T00:37:51.394Z", + "agent": { + "ephemeral_id": "ef6d17d9-f955-48be-a4c5-6b4ea1fe9772", + "hostname": "docker-fleet-agent", + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "auditd": { + "log": { + "proctitle": "bash", + "sequence": 194438 + } + }, + "data_stream": { + "dataset": "auditd.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "f386c08a-1dcf-444a-a259-9c33fa001606", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "proctitle", + "agent_id_status": "verified", + "dataset": "auditd.log", + "ingested": "2022-04-13T05:23:36Z", + "kind": "event" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "172.19.0.7" + ], + "mac": [ + "02:42:ac:13:00:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.3 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/audit.log" + }, + "offset": 1706 + }, + "tags": [ + "auditd-log" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| auditd.log.a0 | The first argument to the system call. | keyword | +| auditd.log.addr | | ip | +| auditd.log.audit_failure | | keyword | +| auditd.log.cipher | | keyword | +| auditd.log.data | | keyword | +| auditd.log.default-context | | keyword | +| auditd.log.dev | | keyword | +| auditd.log.direction | | keyword | +| auditd.log.dst_prefixlen | | long | +| auditd.log.entries | | long | +| auditd.log.family | | keyword | +| auditd.log.fe | | keyword | +| auditd.log.fi | | keyword | +| auditd.log.format | | keyword | +| auditd.log.fp | | keyword | +| auditd.log.fver | | keyword | +| auditd.log.gpg_res | | keyword | +| auditd.log.hostname | | keyword | +| auditd.log.id | | keyword | +| auditd.log.img-ctx | | keyword | +| auditd.log.inode | | keyword | +| auditd.log.item | The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. | keyword | +| auditd.log.items | The number of items in an event. | keyword | +| auditd.log.kernel | | keyword | +| auditd.log.key_enforce | | boolean | +| auditd.log.kind | | keyword | +| auditd.log.ksize | | long | +| auditd.log.laddr | | ip | +| auditd.log.list | | keyword | +| auditd.log.lport | | long | +| auditd.log.major | | keyword | +| auditd.log.minor | | keyword | +| auditd.log.mode | | keyword | +| auditd.log.model | | keyword | +| auditd.log.name | | keyword | +| auditd.log.new-level | | keyword | +| auditd.log.new_auid | For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). | keyword | +| auditd.log.new_pe | | keyword | +| auditd.log.new_pi | | keyword | +| auditd.log.new_pp | | keyword | +| auditd.log.new_ses | For login events this is the new session ID. It can be used to tie a user to future events by session ID. | keyword | +| auditd.log.node | | keyword | +| auditd.log.obj | | keyword | +| auditd.log.objtype | | keyword | +| auditd.log.old | | keyword | +| auditd.log.old-level | | keyword | +| auditd.log.old_auid | For login events this is the old audit ID used for the user prior to this login. | keyword | +| auditd.log.old_pe | | keyword | +| auditd.log.old_pi | | keyword | +| auditd.log.old_pp | | keyword | +| auditd.log.old_ses | For login events this is the old session ID used for the user prior to this login. | keyword | +| auditd.log.op | | keyword | +| auditd.log.pfs | | keyword | +| auditd.log.proctitle | | keyword | +| auditd.log.rdev | | keyword | +| auditd.log.reason | | keyword | +| auditd.log.record_type | | keyword | +| auditd.log.reset | | keyword | +| auditd.log.root_dir | | keyword | +| auditd.log.rport | | long | +| auditd.log.saddr | | keyword | +| auditd.log.selected-context | | keyword | +| auditd.log.sequence | The audit event sequence number. | long | +| auditd.log.ses | | keyword | +| auditd.log.spid | | keyword | +| auditd.log.src_prefixlen | | long | +| auditd.log.subj | | keyword | +| auditd.log.success | | boolean | +| auditd.log.sw | | keyword | +| auditd.log.sw_type | | keyword | +| auditd.log.syscall | | keyword | +| auditd.log.table | | keyword | +| auditd.log.tty | | keyword | +| auditd.log.uid | | keyword | +| auditd.log.unit | | keyword | +| auditd.log.uuid | | keyword | +| auditd.log.ver | | keyword | +| auditd.log.virt | | keyword | +| auditd.log.vm | | keyword | +| auditd.log.vm-ctx | | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.audit.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.audit.group.name | Name of the group. | keyword | +| user.audit.id | One or multiple unique identifiers of the user. | keyword | +| user.audit.name | Short name or login of the user. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.filesystem.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.filesystem.group.name | Name of the group. | keyword | +| user.filesystem.id | One or multiple unique identifiers of the user. | keyword | +| user.filesystem.name | Short name or login of the user. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.owner.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.owner.group.name | Name of the group. | keyword | +| user.owner.id | One or multiple unique identifiers of the user. | keyword | +| user.owner.name | Short name or login of the user. | keyword | +| user.saved.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.saved.group.name | Name of the group. | keyword | +| user.saved.id | One or multiple unique identifiers of the user. | keyword | +| user.saved.name | Short name or login of the user. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.terminal | Terminal or tty device on which the user is performing the observed activity. | keyword | + diff --git a/packages/auditd/3.3.4/img/kibana-audit-auditd.png b/packages/auditd/3.3.4/img/kibana-audit-auditd.png new file mode 100755 index 0000000000..732afa18dc Binary files /dev/null and b/packages/auditd/3.3.4/img/kibana-audit-auditd.png differ diff --git a/packages/auditd/3.3.4/img/linux.svg b/packages/auditd/3.3.4/img/linux.svg new file mode 100755 index 0000000000..c0a92e0c0f --- /dev/null +++ b/packages/auditd/3.3.4/img/linux.svg @@ -0,0 +1,1532 @@ + + + + Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + Tux + 20 June 2012 + + + Garrett LeSage + + + + + + Larry Ewing, the creator of the original Tux graphic + + + + + tux + Linux + penguin + logo + + + + + Larry Ewing, Garrett LeSage + + + https://github.com/garrett/Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/auditd/3.3.4/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json b/packages/auditd/3.3.4/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json new file mode 100755 index 0000000000..0badd80a3a --- /dev/null +++ b/packages/auditd/3.3.4/kibana/dashboard/auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Dashboard for the Auditd Logs integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"event.action\",\"auditd.log.sequence\",\"user.name\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"623a62b9-8745-4fec-8738-bbe6fb8c16aa\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"efef3e71-f9ce-4a8e-8c27-68ad0d047d9b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Event Address Geo Location [Logs Auditd]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"8155deb8-6760-42ad-b14a-dd20958bcb52\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15m\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Event Address Geo Location [Logs Auditd]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"09f4ba02-a62c-410f-8d43-31e9e5278826\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"09f4ba02-a62c-410f-8d43-31e9e5278826\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs Auditd] Audit Events", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-dfbb49f0-0a0f-11e7-8a62-2d05eaaac5cb", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "auditd-c5411910-0a87-11e7-8b04-eb22a5669f27", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27", + "name": "7:panel_7", + "type": "search" + }, + { + "id": "logs-*", + "name": "09f4ba02-a62c-410f-8d43-31e9e5278826:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json b/packages/auditd/3.3.4/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json new file mode 100755 index 0000000000..d6ef417bea --- /dev/null +++ b/packages/auditd/3.3.4/kibana/search/auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "columns": [ + "event.action", + "auditd.log.sequence", + "user.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:auditd.log\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Audit Events [Logs Auditd]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-4ac0a370-0a11-11e7-8b04-eb22a5669f27", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json b/packages/auditd/3.3.4/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json new file mode 100755 index 0000000000..533fc81bb9 --- /dev/null +++ b/packages/auditd/3.3.4/kibana/visualization/auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Event Results [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"expression\":\".es(q=\\\"data_stream.dataset:auditd.log NOT event.outcome:failure\\\").label(\\\"Success\\\"), .es(q=\\\"event.outcome:failed\\\").label(\\\"Failure\\\").title(\\\"Audit Event Results\\\")\",\"interval\":\"auto\"},\"title\":\"Event Results [Logs Auditd]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-2bb0fa70-0a11-11e7-9e84-43da493ad0c7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json b/packages/auditd/3.3.4/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json new file mode 100755 index 0000000000..3aaa56b932 --- /dev/null +++ b/packages/auditd/3.3.4/kibana/visualization/auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.action:\\\"EXECVE\\\" or event.action:\\\"execve\\\"\"}}" + }, + "title": "Top Exec Commands [Logs Auditd]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Command (arg 0)\",\"field\":\"auditd.log.a0\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Audit Top Exec Commands\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-5ebdbe50-0a0f-11e7-825f-6748cda7d858", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json b/packages/auditd/3.3.4/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json new file mode 100755 index 0000000000..fa18dd2400 --- /dev/null +++ b/packages/auditd/3.3.4/kibana/visualization/auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event types breakdown [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Audit Event Types\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-6295bdd0-0a0e-11e7-825f-6748cda7d858", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json b/packages/auditd/3.3.4/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json new file mode 100755 index 0000000000..9cd954ab52 --- /dev/null +++ b/packages/auditd/3.3.4/kibana/visualization/auditd-c5411910-0a87-11e7-8b04-eb22a5669f27.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event Account Tag Cloud [Logs Auditd]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":42,\"minFontSize\":15,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Audit Event Account Tag Cloud\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "auditd-c5411910-0a87-11e7-8b04-eb22a5669f27", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/auditd/3.3.4/manifest.yml b/packages/auditd/3.3.4/manifest.yml new file mode 100755 index 0000000000..625b1497d0 --- /dev/null +++ b/packages/auditd/3.3.4/manifest.yml @@ -0,0 +1,32 @@ +name: auditd +title: Auditd Logs +version: "3.3.4" +release: ga +description: Collect logs from Linux audit daemon with Elastic Agent. +type: integration +icons: + - src: /img/linux.svg + title: linux + size: 299x354 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - os_system +conditions: + kibana.version: ^8.0.0 +screenshots: + - src: /img/kibana-audit-auditd.png + title: Auditd Kibana Dashboard + size: 1230x997 + type: image/png +policy_templates: + - name: auditd + title: Auditd logs + description: Collect logs from Auditd instances + inputs: + - type: logfile + title: "Collect Auditd application logs (input: logfile)" + description: "Collecting application logs from Auditd instances (input: logfile)" +owner: + github: elastic/security-external-integrations diff --git a/packages/barracuda/0.11.2/LICENSE.txt b/packages/barracuda/0.11.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/barracuda/0.11.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/barracuda/0.11.2/changelog.yml b/packages/barracuda/0.11.2/changelog.yml new file mode 100755 index 0000000000..c7534636d7 --- /dev/null +++ b/packages/barracuda/0.11.2/changelog.yml @@ -0,0 +1,106 @@ +# newer versions go on top +- version: "0.11.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "0.11.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "0.11.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3841 +- version: "0.10.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.9.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "0.8.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2574 +- version: "0.7.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.7.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2245 +- version: "0.6.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2018 +- version: "0.6.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1947 +- version: "0.6.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.6.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1799 +- version: "0.6.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1649 +- version: "0.5.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.5.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1467 +- version: '0.5.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1373 +- version: "0.5.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.4.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1252 +- version: "0.3.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1042 +- version: "0.2.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/836 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/152 diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/stream.yml.hbs b/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d526857235 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/stream.yml.hbs @@ -0,0 +1,3374 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Spam" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{resultcode->} %{info}"); + + var dup2 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + + var dup3 = setc("eventcategory","1207010201"); + + var dup4 = setf("msg","$MSG"); + + var dup5 = setc("direction","inbound"); + + var dup6 = date_time({ + dest: "starttime", + args: ["fld1"], + fmts: [ + [dX], + ], + }); + + var dup7 = date_time({ + dest: "endtime", + args: ["fld2"], + fmts: [ + [dX], + ], + }); + + var dup8 = field("fld3"); + + var dup9 = field("resultcode"); + + var dup10 = field("disposition"); + + var dup11 = field("event_cat"); + + var dup12 = setc("action"," RECV"); + + var dup13 = setc("eventcategory","1207010000"); + + var dup14 = setc("direction","outbound"); + + var dup15 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + + var dup16 = setc("eventcategory","1207040000"); + + var dup17 = setc("eventcategory","1701020000"); + + var dup18 = setc("ec_subject","User"); + + var dup19 = setc("ec_activity","Logon"); + + var dup20 = setc("ec_theme","Authentication"); + + var dup21 = constant("Deferred Message"); + + var dup22 = constant("1207010100"); + + var dup23 = constant("1207040200"); + + var dup24 = constant("1207040100"); + + var dup25 = constant("1207010000"); + + var dup26 = constant("1207000000"); + + var dup27 = linear_select([ + dup1, + dup2, + ]); + + var dup28 = lookup({ + dest: "nwparser.disposition", + map: map_getActionName, + key: dup8, + }); + + var dup29 = lookup({ + dest: "nwparser.result", + map: map_getReasonName, + key: dup9, + }); + + var dup30 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup10, + }); + + var dup31 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup11, + }); + + var dup32 = lookup({ + dest: "nwparser.disposition", + map: map_getActionNameForSend, + key: dup8, + }); + + var dup33 = linear_select([ + dup15, + dup2, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("/"), + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + + var all1 = all_match({ + processors: [ + part1, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), + }); + + var msg1 = msg("000001", all1); + + var part2 = match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); + + var part3 = match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); + + var part4 = match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); + + var select2 = linear_select([ + part3, + part4, + ]); + + var all2 = all_match({ + processors: [ + part2, + select2, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + setc("action"," SCAN"), + ]), + }); + + var msg2 = msg("inbound/pass1", all2); + + var part5 = match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + + var all3 = all_match({ + processors: [ + part5, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), + }); + + var msg3 = msg("inbound/pass1:01", all3); + + var select3 = linear_select([ + msg1, + msg2, + msg3, + ]); + + var part6 = match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); + + var part7 = match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); + + var select4 = linear_select([ + part7, + dup2, + ]); + + var all4 = all_match({ + processors: [ + part6, + select4, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg4 = msg("000002", all4); + + var part8 = match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + + var part9 = match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); + + var part10 = match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); + + var select5 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); + + var part12 = match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); + + var part13 = match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); + + var part14 = match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); + + var part15 = match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); + + var part16 = match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); + + var select6 = linear_select([ + part12, + part13, + part14, + part15, + part16, + ]); + + var all5 = all_match({ + processors: [ + part8, + select5, + part11, + select6, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg5 = msg("outbound/smtp", all5); + + var part17 = match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + + var part18 = match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); + + var part19 = match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); + + var select7 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); + + var all6 = all_match({ + processors: [ + part17, + select7, + part20, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg6 = msg("000009", all6); + + var part21 = match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + setc("result"," Message accepted for delivery"), + dup32, + dup30, + dup31, + ])); + + var msg7 = msg("outbound/smtp:01", part21); + + var part22 = match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg8 = msg("outbound/smtp:02", part22); + + var part23 = match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); + + var part24 = match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); + + var part25 = match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); + + var part26 = match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); + + var part27 = match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); + + var part28 = match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); + + var part29 = match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); + + var select8 = linear_select([ + part24, + part25, + part26, + part27, + part28, + part29, + ]); + + var part30 = match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); + + var all7 = all_match({ + processors: [ + part23, + select8, + part30, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg9 = msg("000010", all7); + + var part31 = match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg10 = msg("000011", part31); + + var part32 = match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg11 = msg("000012", part32); + + var part33 = match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg12 = msg("000013", part33); + + var part34 = match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg13 = msg("000014", part34); + + var select9 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + ]); + + var part35 = match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + + var all8 = all_match({ + processors: [ + part35, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), + }); + + var msg14 = msg("000003", all8); + + var part36 = match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + + var all9 = all_match({ + processors: [ + part36, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), + }); + + var msg15 = msg("scan", all9); + + var select10 = linear_select([ + msg14, + msg15, + ]); + + var part37 = match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ + dup17, + dup4, + ])); + + var msg16 = msg("000004", part37); + + var part38 = match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401030000"), + dup18, + dup19, + dup20, + setc("ec_outcome","Failure"), + dup4, + setc("action","FAILED_LOGIN"), + ])); + + var msg17 = msg("000005", part38); + + var part39 = match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ + setc("eventcategory","1605000000"), + dup4, + ])); + + var msg18 = msg("000006", part39); + + var part40 = match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ + dup17, + dup4, + setc("action","CHANGE"), + ])); + + var msg19 = msg("000007", part40); + + var part41 = match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ + setc("eventcategory","1401070000"), + dup18, + setc("ec_activity","Logoff"), + dup20, + dup4, + setc("action","LOGOUT"), + ])); + + var msg20 = msg("000029", part41); + + var part42 = match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401060000"), + dup18, + dup19, + dup20, + dup4, + setc("action","LOGIN"), + ])); + + var msg21 = msg("000030", part42); + + var select11 = linear_select([ + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + ]); + + var part43 = match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ + dup13, + dup4, + dup32, + dup30, + dup31, + ])); + + var msg22 = msg("000008", part43); + + var part44 = match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ + dup16, + dup4, + setc("event_description","report queued"), + ])); + + var msg23 = msg("reports", part44); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "inbound/pass1": select3, + "notify/smtp": msg22, + "outbound/smtp": select9, + "reports": msg23, + "scan": select10, + "web": select11, + }), + ]); + + var part45 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); + + var part46 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + + var part47 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + + var select12 = linear_select([ + dup1, + dup2, + ]); + + var select13 = linear_select([ + dup15, + dup2, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/tcp.yml.hbs b/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..070e2adbe1 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,3371 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Spam" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{resultcode->} %{info}"); + + var dup2 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + + var dup3 = setc("eventcategory","1207010201"); + + var dup4 = setf("msg","$MSG"); + + var dup5 = setc("direction","inbound"); + + var dup6 = date_time({ + dest: "starttime", + args: ["fld1"], + fmts: [ + [dX], + ], + }); + + var dup7 = date_time({ + dest: "endtime", + args: ["fld2"], + fmts: [ + [dX], + ], + }); + + var dup8 = field("fld3"); + + var dup9 = field("resultcode"); + + var dup10 = field("disposition"); + + var dup11 = field("event_cat"); + + var dup12 = setc("action"," RECV"); + + var dup13 = setc("eventcategory","1207010000"); + + var dup14 = setc("direction","outbound"); + + var dup15 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + + var dup16 = setc("eventcategory","1207040000"); + + var dup17 = setc("eventcategory","1701020000"); + + var dup18 = setc("ec_subject","User"); + + var dup19 = setc("ec_activity","Logon"); + + var dup20 = setc("ec_theme","Authentication"); + + var dup21 = constant("Deferred Message"); + + var dup22 = constant("1207010100"); + + var dup23 = constant("1207040200"); + + var dup24 = constant("1207040100"); + + var dup25 = constant("1207010000"); + + var dup26 = constant("1207000000"); + + var dup27 = linear_select([ + dup1, + dup2, + ]); + + var dup28 = lookup({ + dest: "nwparser.disposition", + map: map_getActionName, + key: dup8, + }); + + var dup29 = lookup({ + dest: "nwparser.result", + map: map_getReasonName, + key: dup9, + }); + + var dup30 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup10, + }); + + var dup31 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup11, + }); + + var dup32 = lookup({ + dest: "nwparser.disposition", + map: map_getActionNameForSend, + key: dup8, + }); + + var dup33 = linear_select([ + dup15, + dup2, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("/"), + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + + var all1 = all_match({ + processors: [ + part1, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), + }); + + var msg1 = msg("000001", all1); + + var part2 = match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); + + var part3 = match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); + + var part4 = match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); + + var select2 = linear_select([ + part3, + part4, + ]); + + var all2 = all_match({ + processors: [ + part2, + select2, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + setc("action"," SCAN"), + ]), + }); + + var msg2 = msg("inbound/pass1", all2); + + var part5 = match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + + var all3 = all_match({ + processors: [ + part5, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), + }); + + var msg3 = msg("inbound/pass1:01", all3); + + var select3 = linear_select([ + msg1, + msg2, + msg3, + ]); + + var part6 = match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); + + var part7 = match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); + + var select4 = linear_select([ + part7, + dup2, + ]); + + var all4 = all_match({ + processors: [ + part6, + select4, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg4 = msg("000002", all4); + + var part8 = match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + + var part9 = match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); + + var part10 = match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); + + var select5 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); + + var part12 = match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); + + var part13 = match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); + + var part14 = match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); + + var part15 = match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); + + var part16 = match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); + + var select6 = linear_select([ + part12, + part13, + part14, + part15, + part16, + ]); + + var all5 = all_match({ + processors: [ + part8, + select5, + part11, + select6, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg5 = msg("outbound/smtp", all5); + + var part17 = match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + + var part18 = match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); + + var part19 = match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); + + var select7 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); + + var all6 = all_match({ + processors: [ + part17, + select7, + part20, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg6 = msg("000009", all6); + + var part21 = match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + setc("result"," Message accepted for delivery"), + dup32, + dup30, + dup31, + ])); + + var msg7 = msg("outbound/smtp:01", part21); + + var part22 = match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg8 = msg("outbound/smtp:02", part22); + + var part23 = match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); + + var part24 = match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); + + var part25 = match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); + + var part26 = match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); + + var part27 = match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); + + var part28 = match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); + + var part29 = match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); + + var select8 = linear_select([ + part24, + part25, + part26, + part27, + part28, + part29, + ]); + + var part30 = match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); + + var all7 = all_match({ + processors: [ + part23, + select8, + part30, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg9 = msg("000010", all7); + + var part31 = match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg10 = msg("000011", part31); + + var part32 = match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg11 = msg("000012", part32); + + var part33 = match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg12 = msg("000013", part33); + + var part34 = match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg13 = msg("000014", part34); + + var select9 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + ]); + + var part35 = match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + + var all8 = all_match({ + processors: [ + part35, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), + }); + + var msg14 = msg("000003", all8); + + var part36 = match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + + var all9 = all_match({ + processors: [ + part36, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), + }); + + var msg15 = msg("scan", all9); + + var select10 = linear_select([ + msg14, + msg15, + ]); + + var part37 = match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ + dup17, + dup4, + ])); + + var msg16 = msg("000004", part37); + + var part38 = match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401030000"), + dup18, + dup19, + dup20, + setc("ec_outcome","Failure"), + dup4, + setc("action","FAILED_LOGIN"), + ])); + + var msg17 = msg("000005", part38); + + var part39 = match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ + setc("eventcategory","1605000000"), + dup4, + ])); + + var msg18 = msg("000006", part39); + + var part40 = match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ + dup17, + dup4, + setc("action","CHANGE"), + ])); + + var msg19 = msg("000007", part40); + + var part41 = match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ + setc("eventcategory","1401070000"), + dup18, + setc("ec_activity","Logoff"), + dup20, + dup4, + setc("action","LOGOUT"), + ])); + + var msg20 = msg("000029", part41); + + var part42 = match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401060000"), + dup18, + dup19, + dup20, + dup4, + setc("action","LOGIN"), + ])); + + var msg21 = msg("000030", part42); + + var select11 = linear_select([ + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + ]); + + var part43 = match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ + dup13, + dup4, + dup32, + dup30, + dup31, + ])); + + var msg22 = msg("000008", part43); + + var part44 = match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ + dup16, + dup4, + setc("event_description","report queued"), + ])); + + var msg23 = msg("reports", part44); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "inbound/pass1": select3, + "notify/smtp": msg22, + "outbound/smtp": select9, + "reports": msg23, + "scan": select10, + "web": select11, + }), + ]); + + var part45 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); + + var part46 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + + var part47 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + + var select12 = linear_select([ + dup1, + dup2, + ]); + + var select13 = linear_select([ + dup15, + dup2, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/udp.yml.hbs b/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..fb8d06cee9 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/agent/stream/udp.yml.hbs @@ -0,0 +1,3371 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Spam" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{resultcode->} %{info}"); + + var dup2 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + + var dup3 = setc("eventcategory","1207010201"); + + var dup4 = setf("msg","$MSG"); + + var dup5 = setc("direction","inbound"); + + var dup6 = date_time({ + dest: "starttime", + args: ["fld1"], + fmts: [ + [dX], + ], + }); + + var dup7 = date_time({ + dest: "endtime", + args: ["fld2"], + fmts: [ + [dX], + ], + }); + + var dup8 = field("fld3"); + + var dup9 = field("resultcode"); + + var dup10 = field("disposition"); + + var dup11 = field("event_cat"); + + var dup12 = setc("action"," RECV"); + + var dup13 = setc("eventcategory","1207010000"); + + var dup14 = setc("direction","outbound"); + + var dup15 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + + var dup16 = setc("eventcategory","1207040000"); + + var dup17 = setc("eventcategory","1701020000"); + + var dup18 = setc("ec_subject","User"); + + var dup19 = setc("ec_activity","Logon"); + + var dup20 = setc("ec_theme","Authentication"); + + var dup21 = constant("Deferred Message"); + + var dup22 = constant("1207010100"); + + var dup23 = constant("1207040200"); + + var dup24 = constant("1207040100"); + + var dup25 = constant("1207010000"); + + var dup26 = constant("1207000000"); + + var dup27 = linear_select([ + dup1, + dup2, + ]); + + var dup28 = lookup({ + dest: "nwparser.disposition", + map: map_getActionName, + key: dup8, + }); + + var dup29 = lookup({ + dest: "nwparser.result", + map: map_getReasonName, + key: dup9, + }); + + var dup30 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup10, + }); + + var dup31 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup11, + }); + + var dup32 = lookup({ + dest: "nwparser.disposition", + map: map_getActionNameForSend, + key: dup8, + }); + + var dup33 = linear_select([ + dup15, + dup2, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("/"), + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + + var all1 = all_match({ + processors: [ + part1, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), + }); + + var msg1 = msg("000001", all1); + + var part2 = match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); + + var part3 = match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); + + var part4 = match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); + + var select2 = linear_select([ + part3, + part4, + ]); + + var all2 = all_match({ + processors: [ + part2, + select2, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + setc("action"," SCAN"), + ]), + }); + + var msg2 = msg("inbound/pass1", all2); + + var part5 = match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + + var all3 = all_match({ + processors: [ + part5, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), + }); + + var msg3 = msg("inbound/pass1:01", all3); + + var select3 = linear_select([ + msg1, + msg2, + msg3, + ]); + + var part6 = match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); + + var part7 = match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); + + var select4 = linear_select([ + part7, + dup2, + ]); + + var all4 = all_match({ + processors: [ + part6, + select4, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg4 = msg("000002", all4); + + var part8 = match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + + var part9 = match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); + + var part10 = match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); + + var select5 = linear_select([ + part9, + part10, + ]); + + var part11 = match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); + + var part12 = match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); + + var part13 = match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); + + var part14 = match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); + + var part15 = match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); + + var part16 = match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); + + var select6 = linear_select([ + part12, + part13, + part14, + part15, + part16, + ]); + + var all5 = all_match({ + processors: [ + part8, + select5, + part11, + select6, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg5 = msg("outbound/smtp", all5); + + var part17 = match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + + var part18 = match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); + + var part19 = match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); + + var select7 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); + + var all6 = all_match({ + processors: [ + part17, + select7, + part20, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg6 = msg("000009", all6); + + var part21 = match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + setc("result"," Message accepted for delivery"), + dup32, + dup30, + dup31, + ])); + + var msg7 = msg("outbound/smtp:01", part21); + + var part22 = match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg8 = msg("outbound/smtp:02", part22); + + var part23 = match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); + + var part24 = match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); + + var part25 = match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); + + var part26 = match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); + + var part27 = match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); + + var part28 = match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); + + var part29 = match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); + + var select8 = linear_select([ + part24, + part25, + part26, + part27, + part28, + part29, + ]); + + var part30 = match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); + + var all7 = all_match({ + processors: [ + part23, + select8, + part30, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), + }); + + var msg9 = msg("000010", all7); + + var part31 = match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg10 = msg("000011", part31); + + var part32 = match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg11 = msg("000012", part32); + + var part33 = match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg12 = msg("000013", part33); + + var part34 = match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ])); + + var msg13 = msg("000014", part34); + + var select9 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + ]); + + var part35 = match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + + var all8 = all_match({ + processors: [ + part35, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), + }); + + var msg14 = msg("000003", all8); + + var part36 = match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + + var all9 = all_match({ + processors: [ + part36, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), + }); + + var msg15 = msg("scan", all9); + + var select10 = linear_select([ + msg14, + msg15, + ]); + + var part37 = match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ + dup17, + dup4, + ])); + + var msg16 = msg("000004", part37); + + var part38 = match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401030000"), + dup18, + dup19, + dup20, + setc("ec_outcome","Failure"), + dup4, + setc("action","FAILED_LOGIN"), + ])); + + var msg17 = msg("000005", part38); + + var part39 = match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ + setc("eventcategory","1605000000"), + dup4, + ])); + + var msg18 = msg("000006", part39); + + var part40 = match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ + dup17, + dup4, + setc("action","CHANGE"), + ])); + + var msg19 = msg("000007", part40); + + var part41 = match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ + setc("eventcategory","1401070000"), + dup18, + setc("ec_activity","Logoff"), + dup20, + dup4, + setc("action","LOGOUT"), + ])); + + var msg20 = msg("000029", part41); + + var part42 = match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401060000"), + dup18, + dup19, + dup20, + dup4, + setc("action","LOGIN"), + ])); + + var msg21 = msg("000030", part42); + + var select11 = linear_select([ + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + ]); + + var part43 = match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ + dup13, + dup4, + dup32, + dup30, + dup31, + ])); + + var msg22 = msg("000008", part43); + + var part44 = match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ + dup16, + dup4, + setc("event_description","report queued"), + ])); + + var msg23 = msg("reports", part44); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "inbound/pass1": select3, + "notify/smtp": msg22, + "outbound/smtp": select9, + "reports": msg23, + "scan": select10, + "web": select11, + }), + ]); + + var part45 = match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); + + var part46 = match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + + var part47 = match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + + var select12 = linear_select([ + dup1, + dup2, + ]); + + var select13 = linear_select([ + dup15, + dup2, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/elasticsearch/ingest_pipeline/default.yml b/packages/barracuda/0.11.2/data_stream/spamfirewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..9b33c73778 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for Barracuda Spam Firewall + +processors: + - set: + field: ecs.version + value: '8.4.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/base-fields.yml b/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/base-fields.yml new file mode 100755 index 0000000000..2e783256e8 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: barracuda +- name: event.dataset + type: constant_keyword + description: Event dataset + value: barracuda.spamfirewall +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/ecs.yml b/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/ecs.yml new file mode 100755 index 0000000000..f7e5c95752 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/ecs.yml @@ -0,0 +1,547 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/fields.yml b/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/fields.yml new file mode 100755 index 0000000000..fc0f1ba52a --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain +- name: network.interface.name + type: keyword diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/manifest.yml b/packages/barracuda/0.11.2/data_stream/spamfirewall/manifest.yml new file mode 100755 index 0000000000..7361b92c19 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/manifest.yml @@ -0,0 +1,205 @@ +title: Barracuda Spam Firewall logs +release: experimental +type: logs +streams: + - input: udp + title: Barracuda Spam Firewall logs + description: Collect Barracuda Spam Firewall logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - barracuda-spamfirewall + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9540 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Barracuda Spam Firewall logs + description: Collect Barracuda Spam Firewall logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - barracuda-spamfirewall + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9540 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Barracuda Spam Firewall logs + description: Collect Barracuda Spam Firewall logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/barracuda-spamfirewall.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - barracuda-spamfirewall + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/barracuda/0.11.2/data_stream/spamfirewall/sample_event.json b/packages/barracuda/0.11.2/data_stream/spamfirewall/sample_event.json new file mode 100755 index 0000000000..a5a7e45902 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/spamfirewall/sample_event.json @@ -0,0 +1,80 @@ +{ + "@timestamp": "2022-01-25T11:57:27.112Z", + "agent": { + "ephemeral_id": "cf4d5a76-6d8b-47ef-a35e-5723c68d726c", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "barracuda.spamfirewall", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "accept", + "agent_id_status": "verified", + "code": "notify/smtp", + "dataset": "barracuda.spamfirewall", + "ingested": "2022-01-25T11:57:28Z", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:41726" + } + }, + "network": { + "bytes": 1090 + }, + "observer": { + "product": "Spam", + "type": "Anti-Virus", + "vendor": "Barracuda", + "version": "1.2364" + }, + "related": { + "ip": [ + "10.224.15.48" + ] + }, + "rsa": { + "db": { + "index": "ritin\n" + }, + "email": { + "email_src": "ivelitse" + }, + "internal": { + "messageid": "notify/smtp" + }, + "misc": { + "action": [ + "accept" + ], + "log_session_id": "illumqui", + "version": "1.2364" + } + }, + "source": { + "ip": [ + "10.224.15.48" + ] + }, + "tags": [ + "barracuda-spamfirewall", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/barracuda/0.11.2/data_stream/waf/agent/stream/stream.yml.hbs b/packages/barracuda/0.11.2/data_stream/waf/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..2791ad1e19 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/agent/stream/stream.yml.hbs @@ -0,0 +1,3938 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Web" + type: "WAF" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + + var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + + var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + + var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + + var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + + var dup17 = setc("eventcategory","1204000000"); + + var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); + + var dup19 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); + + var dup20 = setf("msg_id","web_method"); + + var dup21 = setc("category","TR"); + + var dup22 = setc("vid","TR_Logs"); + + var dup23 = linear_select([ + dup13, + dup14, + ]); + + var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + ])); + + var dup25 = linear_select([ + dup18, + dup19, + ]); + + var dup26 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var dup27 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(":"), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0009"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" TR "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0007"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" AUDIT "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0008"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" WF "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("htimezone"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld10"), + constant(" "), + field("hfld11"), + constant(" "), + field("hhost"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + ]); + + var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ + setc("eventcategory","1502030000"), + setc("event_description","UPDATE: ALERT New attack definition version is available"), + ])); + + var msg1 = msg("UPDATE", part1); + + var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ + setc("eventcategory","1603000000"), + setc("event_description","STM: LB Server disabled by out of band monitor"), + ])); + + var msg2 = msg("STM:01", part2); + + var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ + dup3, + setc("event_description","STM: LB Server created."), + ])); + + var msg3 = msg("STM:02", part3); + + var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ + setc("eventcategory","1613030100"), + setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), + ])); + + var msg4 = msg("STM:03", part4); + + var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ + dup4, + setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), + ])); + + var msg5 = msg("STM:04", part5); + + var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ + dup3, + setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), + ])); + + var msg6 = msg("STM:05", part6); + + var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ + dup3, + setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), + ])); + + var msg7 = msg("STM:06", part7); + + var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE New Service created."), + ])); + + var msg8 = msg("STM:07", part8); + + var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ + dup4, + setc("event_description","STM: SSL Initialization."), + ])); + + var msg9 = msg("STM:08", part9); + + var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB-LookupServerCtx."), + ])); + + var msg10 = msg("STM:09", part10); + + var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), + ])); + + var msg11 = msg("STM:10", part11); + + var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SapCtx log."), + ])); + + var msg12 = msg("STM:11", part12); + + var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ + dup3, + setc("event_description","STM: CACHE SapCtx log."), + ])); + + var msg13 = msg("STM:12", part13); + + var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ + dup3, + setc("event_description","STM: FTPSVC Ftp proxy initialized."), + ])); + + var msg14 = msg("STM:13", part14); + + var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ + dup3, + setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), + ])); + + var msg15 = msg("STM:14", part15); + + var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ + dup3, + setc("event_description","STM: COOKIE Cookie parameters set."), + ])); + + var msg16 = msg("STM:15", part16); + + var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: WebLog Set Sap variable."), + ])); + + var msg17 = msg("STM:16", part17); + + var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ + dup3, + setc("event_description","STM: aps Set AddIpsPatternGroup."), + ])); + + var msg18 = msg("STM:17", part18); + + var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddPCInfoKeyWordMeta."), + ])); + + var msg19 = msg("STM:18", part19); + + var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClass."), + ])); + + var msg20 = msg("STM:19", part20); + + var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassPatternsAndDFA."), + ])); + + var msg21 = msg("STM:20", part21); + + var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassClonePatternsInfo."), + ])); + + var msg22 = msg("STM:21", part22); + + var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsLogIntrusionOn."), + ])); + + var msg23 = msg("STM:22", part23); + + var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), + ])); + + var msg24 = msg("STM:23", part24); + + var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicy."), + ])); + + var msg25 = msg("STM:24", part25); + + var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicyDfa."), + ])); + + var msg26 = msg("STM:25", part26); + + var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ + dup3, + dup5, + ])); + + var msg27 = msg("STM:26", part27); + + var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ + dup3, + setc("event_description","STM: aps CreateRC: RC Add policy Success."), + ])); + + var msg28 = msg("STM:27", part28); + + var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Sap command."), + ])); + + var msg29 = msg("STM:28", part29); + + var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Server command."), + ])); + + var msg30 = msg("STM:29", part30); + + var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Add Server command."), + ])); + + var msg31 = msg("STM:30", part31); + + var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Create Server command."), + ])); + + var msg32 = msg("STM:31", part32); + + var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Enable Server command."), + ])); + + var msg33 = msg("STM:32", part33); + + var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), + ])); + + var msg34 = msg("STM:33", part34); + + var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB BindServerToSap command."), + ])); + + var msg35 = msg("STM:34", part35); + + var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ + dup3, + setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), + ])); + + var msg36 = msg("STM:35", part36); + + var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE Server service started command."), + ])); + + var msg37 = msg("STM:36", part37); + + var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ + dup3, + setc("event_description","STM: RespPage Response Page created successfully."), + ])); + + var msg38 = msg("STM:37", part38); + + var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: AddWATReqRewriteRule AclName."), + ])); + + var msg39 = msg("STM:38", part39); + + var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), + ])); + + var msg40 = msg("STM:39", part40); + + var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewritePolicyOn."), + ])); + + var msg41 = msg("STM:40", part41); + + var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsOn."), + ])); + + var msg42 = msg("STM:41", part42); + + var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ + dup3, + dup5, + ])); + + var msg43 = msg("STM:42", part43); + + var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATRespRewritePolicyOn."), + ])); + + var msg44 = msg("STM:43", part44); + + var select2 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + ]); + + var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: command execution status."), + ])); + + var msg45 = msg("STM_WRAPPER:01", part45); + + var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ + dup6, + setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), + ])); + + var msg46 = msg("STM_WRAPPER:02", part46); + + var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Committing UI configuration."), + ])); + + var msg47 = msg("STM_WRAPPER:03", part47); + + var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully stopped STM."), + ])); + + var msg48 = msg("STM_WRAPPER:04", part48); + + var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully initialized STM."), + ])); + + var msg49 = msg("STM_WRAPPER:05", part49); + + var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Initializing STM."), + ])); + + var msg50 = msg("STM_WRAPPER:06", part50); + + var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), + ])); + + var msg51 = msg("STM_WRAPPER:07", part51); + + var select3 = linear_select([ + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + ]); + + var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT: RPC information."), + ])); + + var msg52 = msg("CONFIG_AGENT:01", part52); + + var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Received put-tree command."), + ])); + + var msg53 = msg("CONFIG_AGENT:02", part53); + + var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ + dup4, + setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), + ])); + + var msg54 = msg("CONFIG_AGENT:03", part54); + + var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), + ])); + + var msg55 = msg("CONFIG_AGENT:04", part55); + + var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Update succeded."), + ])); + + var msg56 = msg("CONFIG_AGENT:05", part56); + + var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:No rules."), + ])); + + var msg57 = msg("CONFIG_AGENT:06", part57); + + var select4 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + ]); + + var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ + dup3, + setc("event_description","PROCMON: Started monitoring"), + ])); + + var msg58 = msg("PROCMON:01", part58); + + var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ + dup3, + setc("event_description","PROCMON: number of stm worker threads"), + ])); + + var msg59 = msg("PROCMON:02", part59); + + var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ + dup3, + setc("event_description","PROCMON: Monitoring links."), + ])); + + var msg60 = msg("PROCMON:03", part60); + + var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ + dup3, + setc("event_description","PROCMON:Link is up."), + ])); + + var msg61 = msg("PROCMON:04", part61); + + var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","PROCMON:Firmware storage exceeding."), + ])); + + var msg62 = msg("PROCMON:05", part62); + + var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ + dup6, + setc("event_description","PROCMON:One of the RAID arrays is degrading."), + ])); + + var msg63 = msg("PROCMON:06", part63); + + var select5 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + ]); + + var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ + dup3, + setc("event_description","BYPASS: State set to normal: starting heartbeat."), + ])); + + var msg64 = msg("BYPASS:01", part64); + + var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ + dup3, + setc("event_description","Mode change."), + ])); + + var msg65 = msg("BYPASS:02", part65); + + var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ + dup3, + setc("event_description"," Mode set to BYPASS."), + ])); + + var msg66 = msg("BYPASS:03", part66); + + var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ + dup3, + setc("event_description"," Mode set to never BYPASS."), + ])); + + var msg67 = msg("BYPASS:04", part67); + + var select6 = linear_select([ + msg64, + msg65, + msg66, + msg67, + ]); + + var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ + dup3, + setc("event_description"," INSTALL: migrating configuration."), + ])); + + var msg68 = msg("INSTALL:01", part68); + + var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ + dup3, + setc("event_description"," INSTALL: Loading snapshot from previous version."), + ])); + + var msg69 = msg("INSTALL:02", part69); + + var select7 = linear_select([ + msg68, + msg69, + ]); + + var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ + dup3, + setc("event_description","eventmgr: Forwarding log messages to syslog host"), + ])); + + var msg70 = msg("eventmgr:01", part70); + + var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ + dup3, + setc("event_description","eventmgr: Event manager startup succeeded."), + ])); + + var msg71 = msg("eventmgr:02", part71); + + var select8 = linear_select([ + msg70, + msg71, + ]); + + var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + setc("event_description"," Configuration changes made."), + dup8, + ])); + + var msg72 = msg("CONFIG", part72); + + var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401060000"), + setc("event_description"," Login."), + dup8, + ])); + + var msg73 = msg("LOGIN", part73); + + var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("event_description"," Session timeout."), + dup8, + ])); + + var msg74 = msg("SESSION_TIMEOUT", part74); + + var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + setc("ec_theme","Authentication"), + setc("ec_outcome","Success"), + setc("event_description"," Logout."), + dup8, + ])); + + var msg75 = msg("LOGOUT", part75); + + var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401030000"), + setc("event_description"," Unsuccessful login."), + dup8, + ])); + + var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); + + var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Operating in Transport Mode"), + dup8, + ])); + + var msg77 = msg("TRANSPARENT_MODE", part77); + + var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Support Tunnel Opened"), + dup8, + ])); + + var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); + + var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Update"), + dup8, + ])); + + var msg79 = msg("FIRMWARE_UPDATE", part79); + + var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Revert."), + dup8, + ])); + + var msg80 = msg("FIRMWARE_REVERT", part80); + + var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System Reboot."), + dup8, + ])); + + var msg81 = msg("REBOOT", part81); + + var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System ROLLBACK."), + dup8, + ])); + + var msg82 = msg("ROLLBACK", part82); + + var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, + ])); + + var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); + + var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, + ])); + + var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); + + var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); + + var select9 = linear_select([ + msg83, + msg84, + msg85, + ]); + + var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); + + var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); + + var select10 = linear_select([ + msg86, + msg87, + ]); + + var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); + + var msg89 = msg("SQL_INJECTION_IN_URL", dup26); + + var select11 = linear_select([ + msg88, + msg89, + ]); + + var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); + + var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); + + var select12 = linear_select([ + msg90, + msg91, + ]); + + var msg92 = msg("TILDE_IN_URL:01", dup27); + + var msg93 = msg("TILDE_IN_URL", dup26); + + var select13 = linear_select([ + msg92, + msg93, + ]); + + var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); + + var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); + + var select14 = linear_select([ + msg94, + msg95, + ]); + + var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); + + var select15 = linear_select([ + dup13, + part85, + dup14, + ]); + + var all1 = all_match({ + processors: [ + dup12, + select15, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); + + var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); + + var select16 = linear_select([ + msg96, + msg97, + ]); + + var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); + + var msg99 = msg("METHOD_NOT_ALLOWED", dup26); + + var select17 = linear_select([ + msg98, + msg99, + ]); + + var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); + + var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); + + var select18 = linear_select([ + msg100, + msg101, + ]); + + var msg102 = msg("DENY_ACL_MATCHED:01", dup27); + + var msg103 = msg("DENY_ACL_MATCHED", dup26); + + var select19 = linear_select([ + msg102, + msg103, + ]); + + var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); + + var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); + + var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); + + var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); + + var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); + + var msg109 = msg("INVALID_URL_ENCODING", dup24); + + var msg110 = msg("INVALID_URL_CHARSET", dup24); + + var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); + + var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); + + var select20 = linear_select([ + msg111, + msg112, + ]); + + var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); + + var msg114 = msg("SLASH_DOT_IN_URL", dup26); + + var select21 = linear_select([ + msg113, + msg114, + ]); + + var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ + dup3, + date_time({ + dest: "event_time", + args: ["hfld9","hfld10"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ])); + + var msg115 = msg("SYS", part86); + + var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ + dup17, + date_time({ + dest: "event_time", + args: ["hfld1","hfld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ])); + + var msg116 = msg("BARRACUDAWAF", part87); + + var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + dup8, + setc("category","AUDIT"), + setc("vid","Audit_Logs"), + ])); + + var msg117 = msg("Audit_Logs", part88); + + var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + setc("category","WF"), + setc("vid","WF"), + ])); + + var msg118 = msg("WF", part89); + + var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all2 = all_match({ + processors: [ + part90, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg119 = msg("TR_Logs:01", all2); + + var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all3 = all_match({ + processors: [ + part91, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg120 = msg("TR_Logs:02", all3); + + var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all4 = all_match({ + processors: [ + part92, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg121 = msg("TR_Logs:03", all4); + + var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all5 = all_match({ + processors: [ + part93, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg122 = msg("TR_Logs", all5); + + var select22 = linear_select([ + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "BARRACUDAWAF": msg116, + "BARRACUDA_GENRIC": select22, + "BYPASS": select6, + "CONFIG": msg72, + "CONFIG_AGENT": select4, + "CROSS_SITE_SCRIPTING_IN_PARAM": select10, + "CROSS_SITE_SCRIPTING_IN_URL": select20, + "DENY_ACL_MATCHED": select19, + "ERROR_RESPONSE_SUPPRESSED": select18, + "FIRMWARE_REVERT": msg80, + "FIRMWARE_UPDATE": msg79, + "HEADER_COUNT_EXCEEDED": select9, + "HEADER_VALUE_LENGTH_EXCEEDED": msg107, + "INSTALL": select7, + "INVALID_URL_CHARSET": msg110, + "INVALID_URL_ENCODING": msg109, + "LOGIN": msg73, + "LOGOUT": msg75, + "METHOD_NOT_ALLOWED": select17, + "NO_DOMAIN_MATCH_IN_PROFILE": msg104, + "NO_URL_PROFILE_MATCH": msg105, + "OS_CMD_INJECTION_IN_PARAM": select16, + "OS_CMD_INJECTION_IN_URL": select12, + "PROCMON": select5, + "REBOOT": msg81, + "ROLLBACK": msg82, + "SESSION_TIMEOUT": msg74, + "SLASH_DOT_IN_URL": select21, + "SQL_INJECTION_IN_PARAM": select14, + "SQL_INJECTION_IN_URL": select11, + "STM": select2, + "STM_WRAPPER": select3, + "SUPPORT_TUNNEL_OPEN": msg78, + "SYS": msg115, + "TILDE_IN_URL": select13, + "TRANSPARENT_MODE": msg77, + "UNKNOWN_CONTENT_TYPE": msg108, + "UNRECOGNIZED_COOKIE": msg106, + "UNSUCCESSFUL_LOGIN": msg76, + "UPDATE": msg1, + "eventmgr": select8, + }), + ]); + + var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + + var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + + var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + + var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + + var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + + var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); + + var part100 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); + + var select23 = linear_select([ + dup13, + dup14, + ]); + + var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + ])); + + var select24 = linear_select([ + dup18, + dup19, + ]); + + var all6 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var all7 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/barracuda/0.11.2/data_stream/waf/agent/stream/tcp.yml.hbs b/packages/barracuda/0.11.2/data_stream/waf/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..1221407609 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/agent/stream/tcp.yml.hbs @@ -0,0 +1,3935 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Web" + type: "WAF" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + + var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + + var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + + var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + + var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + + var dup17 = setc("eventcategory","1204000000"); + + var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); + + var dup19 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); + + var dup20 = setf("msg_id","web_method"); + + var dup21 = setc("category","TR"); + + var dup22 = setc("vid","TR_Logs"); + + var dup23 = linear_select([ + dup13, + dup14, + ]); + + var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + ])); + + var dup25 = linear_select([ + dup18, + dup19, + ]); + + var dup26 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var dup27 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(":"), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0009"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" TR "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0007"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" AUDIT "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0008"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" WF "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("htimezone"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld10"), + constant(" "), + field("hfld11"), + constant(" "), + field("hhost"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + ]); + + var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ + setc("eventcategory","1502030000"), + setc("event_description","UPDATE: ALERT New attack definition version is available"), + ])); + + var msg1 = msg("UPDATE", part1); + + var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ + setc("eventcategory","1603000000"), + setc("event_description","STM: LB Server disabled by out of band monitor"), + ])); + + var msg2 = msg("STM:01", part2); + + var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ + dup3, + setc("event_description","STM: LB Server created."), + ])); + + var msg3 = msg("STM:02", part3); + + var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ + setc("eventcategory","1613030100"), + setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), + ])); + + var msg4 = msg("STM:03", part4); + + var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ + dup4, + setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), + ])); + + var msg5 = msg("STM:04", part5); + + var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ + dup3, + setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), + ])); + + var msg6 = msg("STM:05", part6); + + var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ + dup3, + setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), + ])); + + var msg7 = msg("STM:06", part7); + + var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE New Service created."), + ])); + + var msg8 = msg("STM:07", part8); + + var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ + dup4, + setc("event_description","STM: SSL Initialization."), + ])); + + var msg9 = msg("STM:08", part9); + + var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB-LookupServerCtx."), + ])); + + var msg10 = msg("STM:09", part10); + + var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), + ])); + + var msg11 = msg("STM:10", part11); + + var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SapCtx log."), + ])); + + var msg12 = msg("STM:11", part12); + + var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ + dup3, + setc("event_description","STM: CACHE SapCtx log."), + ])); + + var msg13 = msg("STM:12", part13); + + var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ + dup3, + setc("event_description","STM: FTPSVC Ftp proxy initialized."), + ])); + + var msg14 = msg("STM:13", part14); + + var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ + dup3, + setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), + ])); + + var msg15 = msg("STM:14", part15); + + var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ + dup3, + setc("event_description","STM: COOKIE Cookie parameters set."), + ])); + + var msg16 = msg("STM:15", part16); + + var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: WebLog Set Sap variable."), + ])); + + var msg17 = msg("STM:16", part17); + + var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ + dup3, + setc("event_description","STM: aps Set AddIpsPatternGroup."), + ])); + + var msg18 = msg("STM:17", part18); + + var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddPCInfoKeyWordMeta."), + ])); + + var msg19 = msg("STM:18", part19); + + var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClass."), + ])); + + var msg20 = msg("STM:19", part20); + + var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassPatternsAndDFA."), + ])); + + var msg21 = msg("STM:20", part21); + + var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassClonePatternsInfo."), + ])); + + var msg22 = msg("STM:21", part22); + + var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsLogIntrusionOn."), + ])); + + var msg23 = msg("STM:22", part23); + + var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), + ])); + + var msg24 = msg("STM:23", part24); + + var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicy."), + ])); + + var msg25 = msg("STM:24", part25); + + var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicyDfa."), + ])); + + var msg26 = msg("STM:25", part26); + + var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ + dup3, + dup5, + ])); + + var msg27 = msg("STM:26", part27); + + var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ + dup3, + setc("event_description","STM: aps CreateRC: RC Add policy Success."), + ])); + + var msg28 = msg("STM:27", part28); + + var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Sap command."), + ])); + + var msg29 = msg("STM:28", part29); + + var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Server command."), + ])); + + var msg30 = msg("STM:29", part30); + + var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Add Server command."), + ])); + + var msg31 = msg("STM:30", part31); + + var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Create Server command."), + ])); + + var msg32 = msg("STM:31", part32); + + var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Enable Server command."), + ])); + + var msg33 = msg("STM:32", part33); + + var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), + ])); + + var msg34 = msg("STM:33", part34); + + var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB BindServerToSap command."), + ])); + + var msg35 = msg("STM:34", part35); + + var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ + dup3, + setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), + ])); + + var msg36 = msg("STM:35", part36); + + var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE Server service started command."), + ])); + + var msg37 = msg("STM:36", part37); + + var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ + dup3, + setc("event_description","STM: RespPage Response Page created successfully."), + ])); + + var msg38 = msg("STM:37", part38); + + var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: AddWATReqRewriteRule AclName."), + ])); + + var msg39 = msg("STM:38", part39); + + var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), + ])); + + var msg40 = msg("STM:39", part40); + + var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewritePolicyOn."), + ])); + + var msg41 = msg("STM:40", part41); + + var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsOn."), + ])); + + var msg42 = msg("STM:41", part42); + + var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ + dup3, + dup5, + ])); + + var msg43 = msg("STM:42", part43); + + var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATRespRewritePolicyOn."), + ])); + + var msg44 = msg("STM:43", part44); + + var select2 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + ]); + + var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: command execution status."), + ])); + + var msg45 = msg("STM_WRAPPER:01", part45); + + var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ + dup6, + setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), + ])); + + var msg46 = msg("STM_WRAPPER:02", part46); + + var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Committing UI configuration."), + ])); + + var msg47 = msg("STM_WRAPPER:03", part47); + + var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully stopped STM."), + ])); + + var msg48 = msg("STM_WRAPPER:04", part48); + + var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully initialized STM."), + ])); + + var msg49 = msg("STM_WRAPPER:05", part49); + + var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Initializing STM."), + ])); + + var msg50 = msg("STM_WRAPPER:06", part50); + + var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), + ])); + + var msg51 = msg("STM_WRAPPER:07", part51); + + var select3 = linear_select([ + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + ]); + + var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT: RPC information."), + ])); + + var msg52 = msg("CONFIG_AGENT:01", part52); + + var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Received put-tree command."), + ])); + + var msg53 = msg("CONFIG_AGENT:02", part53); + + var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ + dup4, + setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), + ])); + + var msg54 = msg("CONFIG_AGENT:03", part54); + + var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), + ])); + + var msg55 = msg("CONFIG_AGENT:04", part55); + + var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Update succeded."), + ])); + + var msg56 = msg("CONFIG_AGENT:05", part56); + + var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:No rules."), + ])); + + var msg57 = msg("CONFIG_AGENT:06", part57); + + var select4 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + ]); + + var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ + dup3, + setc("event_description","PROCMON: Started monitoring"), + ])); + + var msg58 = msg("PROCMON:01", part58); + + var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ + dup3, + setc("event_description","PROCMON: number of stm worker threads"), + ])); + + var msg59 = msg("PROCMON:02", part59); + + var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ + dup3, + setc("event_description","PROCMON: Monitoring links."), + ])); + + var msg60 = msg("PROCMON:03", part60); + + var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ + dup3, + setc("event_description","PROCMON:Link is up."), + ])); + + var msg61 = msg("PROCMON:04", part61); + + var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","PROCMON:Firmware storage exceeding."), + ])); + + var msg62 = msg("PROCMON:05", part62); + + var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ + dup6, + setc("event_description","PROCMON:One of the RAID arrays is degrading."), + ])); + + var msg63 = msg("PROCMON:06", part63); + + var select5 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + ]); + + var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ + dup3, + setc("event_description","BYPASS: State set to normal: starting heartbeat."), + ])); + + var msg64 = msg("BYPASS:01", part64); + + var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ + dup3, + setc("event_description","Mode change."), + ])); + + var msg65 = msg("BYPASS:02", part65); + + var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ + dup3, + setc("event_description"," Mode set to BYPASS."), + ])); + + var msg66 = msg("BYPASS:03", part66); + + var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ + dup3, + setc("event_description"," Mode set to never BYPASS."), + ])); + + var msg67 = msg("BYPASS:04", part67); + + var select6 = linear_select([ + msg64, + msg65, + msg66, + msg67, + ]); + + var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ + dup3, + setc("event_description"," INSTALL: migrating configuration."), + ])); + + var msg68 = msg("INSTALL:01", part68); + + var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ + dup3, + setc("event_description"," INSTALL: Loading snapshot from previous version."), + ])); + + var msg69 = msg("INSTALL:02", part69); + + var select7 = linear_select([ + msg68, + msg69, + ]); + + var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ + dup3, + setc("event_description","eventmgr: Forwarding log messages to syslog host"), + ])); + + var msg70 = msg("eventmgr:01", part70); + + var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ + dup3, + setc("event_description","eventmgr: Event manager startup succeeded."), + ])); + + var msg71 = msg("eventmgr:02", part71); + + var select8 = linear_select([ + msg70, + msg71, + ]); + + var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + setc("event_description"," Configuration changes made."), + dup8, + ])); + + var msg72 = msg("CONFIG", part72); + + var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401060000"), + setc("event_description"," Login."), + dup8, + ])); + + var msg73 = msg("LOGIN", part73); + + var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("event_description"," Session timeout."), + dup8, + ])); + + var msg74 = msg("SESSION_TIMEOUT", part74); + + var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + setc("ec_theme","Authentication"), + setc("ec_outcome","Success"), + setc("event_description"," Logout."), + dup8, + ])); + + var msg75 = msg("LOGOUT", part75); + + var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401030000"), + setc("event_description"," Unsuccessful login."), + dup8, + ])); + + var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); + + var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Operating in Transport Mode"), + dup8, + ])); + + var msg77 = msg("TRANSPARENT_MODE", part77); + + var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Support Tunnel Opened"), + dup8, + ])); + + var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); + + var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Update"), + dup8, + ])); + + var msg79 = msg("FIRMWARE_UPDATE", part79); + + var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Revert."), + dup8, + ])); + + var msg80 = msg("FIRMWARE_REVERT", part80); + + var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System Reboot."), + dup8, + ])); + + var msg81 = msg("REBOOT", part81); + + var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System ROLLBACK."), + dup8, + ])); + + var msg82 = msg("ROLLBACK", part82); + + var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, + ])); + + var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); + + var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, + ])); + + var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); + + var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); + + var select9 = linear_select([ + msg83, + msg84, + msg85, + ]); + + var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); + + var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); + + var select10 = linear_select([ + msg86, + msg87, + ]); + + var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); + + var msg89 = msg("SQL_INJECTION_IN_URL", dup26); + + var select11 = linear_select([ + msg88, + msg89, + ]); + + var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); + + var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); + + var select12 = linear_select([ + msg90, + msg91, + ]); + + var msg92 = msg("TILDE_IN_URL:01", dup27); + + var msg93 = msg("TILDE_IN_URL", dup26); + + var select13 = linear_select([ + msg92, + msg93, + ]); + + var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); + + var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); + + var select14 = linear_select([ + msg94, + msg95, + ]); + + var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); + + var select15 = linear_select([ + dup13, + part85, + dup14, + ]); + + var all1 = all_match({ + processors: [ + dup12, + select15, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); + + var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); + + var select16 = linear_select([ + msg96, + msg97, + ]); + + var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); + + var msg99 = msg("METHOD_NOT_ALLOWED", dup26); + + var select17 = linear_select([ + msg98, + msg99, + ]); + + var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); + + var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); + + var select18 = linear_select([ + msg100, + msg101, + ]); + + var msg102 = msg("DENY_ACL_MATCHED:01", dup27); + + var msg103 = msg("DENY_ACL_MATCHED", dup26); + + var select19 = linear_select([ + msg102, + msg103, + ]); + + var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); + + var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); + + var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); + + var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); + + var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); + + var msg109 = msg("INVALID_URL_ENCODING", dup24); + + var msg110 = msg("INVALID_URL_CHARSET", dup24); + + var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); + + var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); + + var select20 = linear_select([ + msg111, + msg112, + ]); + + var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); + + var msg114 = msg("SLASH_DOT_IN_URL", dup26); + + var select21 = linear_select([ + msg113, + msg114, + ]); + + var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ + dup3, + date_time({ + dest: "event_time", + args: ["hfld9","hfld10"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ])); + + var msg115 = msg("SYS", part86); + + var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ + dup17, + date_time({ + dest: "event_time", + args: ["hfld1","hfld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ])); + + var msg116 = msg("BARRACUDAWAF", part87); + + var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + dup8, + setc("category","AUDIT"), + setc("vid","Audit_Logs"), + ])); + + var msg117 = msg("Audit_Logs", part88); + + var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + setc("category","WF"), + setc("vid","WF"), + ])); + + var msg118 = msg("WF", part89); + + var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all2 = all_match({ + processors: [ + part90, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg119 = msg("TR_Logs:01", all2); + + var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all3 = all_match({ + processors: [ + part91, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg120 = msg("TR_Logs:02", all3); + + var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all4 = all_match({ + processors: [ + part92, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg121 = msg("TR_Logs:03", all4); + + var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all5 = all_match({ + processors: [ + part93, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg122 = msg("TR_Logs", all5); + + var select22 = linear_select([ + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "BARRACUDAWAF": msg116, + "BARRACUDA_GENRIC": select22, + "BYPASS": select6, + "CONFIG": msg72, + "CONFIG_AGENT": select4, + "CROSS_SITE_SCRIPTING_IN_PARAM": select10, + "CROSS_SITE_SCRIPTING_IN_URL": select20, + "DENY_ACL_MATCHED": select19, + "ERROR_RESPONSE_SUPPRESSED": select18, + "FIRMWARE_REVERT": msg80, + "FIRMWARE_UPDATE": msg79, + "HEADER_COUNT_EXCEEDED": select9, + "HEADER_VALUE_LENGTH_EXCEEDED": msg107, + "INSTALL": select7, + "INVALID_URL_CHARSET": msg110, + "INVALID_URL_ENCODING": msg109, + "LOGIN": msg73, + "LOGOUT": msg75, + "METHOD_NOT_ALLOWED": select17, + "NO_DOMAIN_MATCH_IN_PROFILE": msg104, + "NO_URL_PROFILE_MATCH": msg105, + "OS_CMD_INJECTION_IN_PARAM": select16, + "OS_CMD_INJECTION_IN_URL": select12, + "PROCMON": select5, + "REBOOT": msg81, + "ROLLBACK": msg82, + "SESSION_TIMEOUT": msg74, + "SLASH_DOT_IN_URL": select21, + "SQL_INJECTION_IN_PARAM": select14, + "SQL_INJECTION_IN_URL": select11, + "STM": select2, + "STM_WRAPPER": select3, + "SUPPORT_TUNNEL_OPEN": msg78, + "SYS": msg115, + "TILDE_IN_URL": select13, + "TRANSPARENT_MODE": msg77, + "UNKNOWN_CONTENT_TYPE": msg108, + "UNRECOGNIZED_COOKIE": msg106, + "UNSUCCESSFUL_LOGIN": msg76, + "UPDATE": msg1, + "eventmgr": select8, + }), + ]); + + var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + + var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + + var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + + var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + + var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + + var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); + + var part100 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); + + var select23 = linear_select([ + dup13, + dup14, + ]); + + var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + ])); + + var select24 = linear_select([ + dup18, + dup19, + ]); + + var all6 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var all7 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/barracuda/0.11.2/data_stream/waf/agent/stream/udp.yml.hbs b/packages/barracuda/0.11.2/data_stream/waf/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..7e30da1c69 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/agent/stream/udp.yml.hbs @@ -0,0 +1,3935 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Barracuda" + product: "Web" + type: "WAF" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + + var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + + var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + + var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + + var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + + var dup17 = setc("eventcategory","1204000000"); + + var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); + + var dup19 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); + + var dup20 = setf("msg_id","web_method"); + + var dup21 = setc("category","TR"); + + var dup22 = setc("vid","TR_Logs"); + + var dup23 = linear_select([ + dup13, + dup14, + ]); + + var dup24 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + ])); + + var dup25 = linear_select([ + dup18, + dup19, + ]); + + var dup26 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var dup27 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(":"), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timezone->} Unit=%{messageid->} %{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0009"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" TR "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0007"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" AUDIT "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ + setc("header_id","0008"), + dup2, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld7"), + constant(" "), + field("hfld8"), + constant("."), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" WF "), + field("hfld5"), + constant(" "), + field("hfld6"), + constant(" "), + field("hfld8"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("htimezone"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld10"), + constant(" "), + field("hfld11"), + constant(" "), + field("hhost"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + ]); + + var part1 = match("MESSAGE#0:UPDATE", "nwparser.payload", "UPDATE: [ALERT:%{fld3}] New attack definition version %{version->} is available", processor_chain([ + setc("eventcategory","1502030000"), + setc("event_description","UPDATE: ALERT New attack definition version is available"), + ])); + + var msg1 = msg("UPDATE", part1); + + var part2 = match("MESSAGE#1:STM:01", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{id}] Server %{daddr}:%{dport->} is disabled by out of band monitor ( new mode out_of_service_all ) Reason:%{result}", processor_chain([ + setc("eventcategory","1603000000"), + setc("event_description","STM: LB Server disabled by out of band monitor"), + ])); + + var msg2 = msg("STM:01", part2); + + var part3 = match("MESSAGE#2:STM:02", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} Server %{saddr->} is created.", processor_chain([ + dup3, + setc("event_description","STM: LB Server created."), + ])); + + var msg3 = msg("STM:02", part3); + + var part4 = match("MESSAGE#3:STM:03", "nwparser.payload", "STM: SSKey-%{fld1->} %{fld2->} Cookie Encryption Key has already expired", processor_chain([ + setc("eventcategory","1613030100"), + setc("event_description","STM: SSKEY Cookie Encryption Key has already expired."), + ])); + + var msg4 = msg("STM:03", part4); + + var part5 = match("MESSAGE#4:STM:04", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Module CookieKey registered with Stateful Failover module.", processor_chain([ + dup4, + setc("event_description","STM:FAILOVE Module CookieKey registered with Stateful Failover module."), + ])); + + var msg5 = msg("STM:04", part5); + + var part6 = match("MESSAGE#5:STM:05", "nwparser.payload", "STM: FEHCMON-%{fld1->} %{fld2->} FEHC Monitor Module initialized.", processor_chain([ + dup3, + setc("event_description","STM:FECHMON FEHC Monitor Module initialized."), + ])); + + var msg6 = msg("STM:05", part6); + + var part7 = match("MESSAGE#6:STM:06", "nwparser.payload", "STM: FAILOVE-%{fld1->} %{fld2->} Stateful Failover Module initialized.", processor_chain([ + dup3, + setc("event_description","STM: FAILOVE Stateful Failover Module initialized."), + ])); + + var msg7 = msg("STM:06", part7); + + var part8 = match("MESSAGE#7:STM:07", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld3->} [%{fld2}] New Service (ID %{fld4}) Created at %{saddr}:%{sport}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE New Service created."), + ])); + + var msg8 = msg("STM:07", part8); + + var part9 = match("MESSAGE#8:STM:08", "nwparser.payload", "STM: SSL-%{fld1->} %{fld2->} Ssl Initialization", processor_chain([ + dup4, + setc("event_description","STM: SSL Initialization."), + ])); + + var msg9 = msg("STM:08", part9); + + var part10 = match("MESSAGE#9:STM:09", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} LookupServerCtx = %{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB-LookupServerCtx."), + ])); + + var msg10 = msg("STM:09", part10); + + var part11 = match("MESSAGE#10:STM:10", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamProtectionClonePatterns: Old:%{change_old}, New:%{change_new}, PatternsNode:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps ParamProtectionClonePatterns values changed."), + ])); + + var msg11 = msg("STM:10", part11); + + var part12 = match("MESSAGE#11:STM:11", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SapCtx log."), + ])); + + var msg12 = msg("STM:11", part12); + + var part13 = match("MESSAGE#12:STM:12", "nwparser.payload", "STM: CACHE-%{fld1->} %{fld2->} %{obj_name->} SapCtx %{fld3}, SapId %{fld4}, Return Code %{result}", processor_chain([ + dup3, + setc("event_description","STM: CACHE SapCtx log."), + ])); + + var msg13 = msg("STM:12", part13); + + var part14 = match("MESSAGE#13:STM:13", "nwparser.payload", "STM: FTPSVC-%{fld1->} %{fld2->} Ftp proxy initialized %{info}", processor_chain([ + dup3, + setc("event_description","STM: FTPSVC Ftp proxy initialized."), + ])); + + var msg14 = msg("STM:13", part14); + + var part15 = match("MESSAGE#14:STM:14", "nwparser.payload", "STM: STM-%{fld1->} %{fld2->} Secure Traffic Manager Initialization complete: %{info}", processor_chain([ + dup3, + setc("event_description","STM: STM Secure Traffic Manager Initialization complete."), + ])); + + var msg15 = msg("STM:14", part15); + + var part16 = match("MESSAGE#15:STM:15", "nwparser.payload", "STM: COOKIE-%{fld1->} %{fld2->} %{obj_name->} = %{info}", processor_chain([ + dup3, + setc("event_description","STM: COOKIE Cookie parameters set."), + ])); + + var msg16 = msg("STM:15", part16); + + var part17 = match("MESSAGE#16:STM:16", "nwparser.payload", "STM: WebLog-%{fld1->} %{fld2->} %{obj_name}: SapCtx=%{fld3},SapId=%{fld4}, %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: WebLog Set Sap variable."), + ])); + + var msg17 = msg("STM:16", part17); + + var part18 = match("MESSAGE#17:STM:17", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsPatternGroup SapCtx : %{fld3}, grp_id : %{fld4}, type : %{fld5->} grp: %{info}", processor_chain([ + dup3, + setc("event_description","STM: aps Set AddIpsPatternGroup."), + ])); + + var msg18 = msg("STM:17", part18); + + var part19 = match("MESSAGE#18:STM:18", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddPCInfoKeyWordMeta: Info:%{fld3}, Table:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddPCInfoKeyWordMeta."), + ])); + + var msg19 = msg("STM:18", part19); + + var part20 = match("MESSAGE#19:STM:19", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddParamClass: %{fld3}: KeyWords:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClass."), + ])); + + var msg20 = msg("STM:19", part20); + + var part21 = match("MESSAGE#20:STM:20", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetParamClassPatternsAndDFA: Ctx:%{fld3}, type:%{fld4}, dfaId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassPatternsAndDFA."), + ])); + + var msg21 = msg("STM:20", part21); + + var part22 = match("MESSAGE#21:STM:21", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} ParamClassClonePatternsInfo: Old:%{fld3}, New:%{fld4}, PatternsNode:%{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps AddParamClassClonePatternsInfo."), + ])); + + var msg22 = msg("STM:21", part22); + + var part23 = match("MESSAGE#22:STM:22", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLogIntrusionOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsLogIntrusionOn."), + ])); + + var msg23 = msg("STM:22", part23); + + var part24 = match("MESSAGE#23:STM:23", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} AddIpsCloakFilterRespHeader [%{fld3}] Ret %{fld4}, SapCtx %{fld5}, sapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: aps AddIpsCloakFilterRespHeader."), + ])); + + var msg24 = msg("STM:23", part24); + + var part25 = match("MESSAGE#24:STM:24", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicy SapCtx %{fld3}, Policy %{fld4}, Return %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicy."), + ])); + + var msg25 = msg("STM:24", part25); + + var part26 = match("MESSAGE#25:STM:25", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsTheftPolicyDfa SapCtx %{fld3}, Policy %{fld4}, mode %{fld5}, bytes %{fld6}, Return %{fld7}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsTheftPolicyDfa."), + ])); + + var msg26 = msg("STM:25", part26); + + var part27 = match("MESSAGE#26:STM:26", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicy Return Code %{fld3}", processor_chain([ + dup3, + dup5, + ])); + + var msg27 = msg("STM:26", part27); + + var part28 = match("MESSAGE#27:STM:27", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} CreateRC: RC Add policy Success", processor_chain([ + dup3, + setc("event_description","STM: aps CreateRC: RC Add policy Success."), + ])); + + var msg28 = msg("STM:27", part28); + + var part29 = match("MESSAGE#28:STM:28", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetSap%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Sap command."), + ])); + + var msg29 = msg("STM:28", part29); + + var part30 = match("MESSAGE#29:STM:29", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} SetServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Set Server command."), + ])); + + var msg30 = msg("STM:29", part30); + + var part31 = match("MESSAGE#30:STM:30", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} AddServer%{info}=%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Add Server command."), + ])); + + var msg31 = msg("STM:30", part31); + + var part32 = match("MESSAGE#31:STM:31", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} CreateServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Create Server command."), + ])); + + var msg32 = msg("STM:31", part32); + + var part33 = match("MESSAGE#32:STM:32", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} EnableServer =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB Enable Server command."), + ])); + + var msg33 = msg("STM:32", part33); + + var part34 = match("MESSAGE#33:STM:33", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} ActiveServerOutOfBandMonitorAttr =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB ActiveServerOutOfBandMonitorAttr command."), + ])); + + var msg34 = msg("STM:33", part34); + + var part35 = match("MESSAGE#34:STM:34", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} BindServerToSap =%{fld3}", processor_chain([ + dup3, + setc("event_description","STM: LB BindServerToSap command."), + ])); + + var msg35 = msg("STM:34", part35); + + var part36 = match("MESSAGE#35:STM:35", "nwparser.payload", "STM: LB-%{fld1->} %{fld2->} [ALERT:%{fld3}] Server %{saddr}:%{sport->} is enabled by out of band monitor. Reason:out of band monitor", processor_chain([ + dup3, + setc("event_description","STM: LB Server is enabled by out of band monitor Reason out of band monitor"), + ])); + + var msg36 = msg("STM:35", part36); + + var part37 = match("MESSAGE#36:STM:36", "nwparser.payload", "STM: SERVICE-%{fld1->} %{fld2->} [%{saddr}:%{sport}] Service Started %{fld3}:%{fld4}", processor_chain([ + dup3, + setc("event_description","STM: SERVICE Server service started command."), + ])); + + var msg37 = msg("STM:36", part37); + + var part38 = match("MESSAGE#37:STM:37", "nwparser.payload", "STM: RespPage-%{fld1->} %{fld2->} CreateRP: Response Page %{fld3->} created successfully", processor_chain([ + dup3, + setc("event_description","STM: RespPage Response Page created successfully."), + ])); + + var msg38 = msg("STM:37", part38); + + var part39 = match("MESSAGE#38:STM:38", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} AddWATReqRewriteRule AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: AddWATReqRewriteRule AclName."), + ])); + + var msg39 = msg("STM:38", part39); + + var part40 = match("MESSAGE#39:STM:39", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewriteRuleNameWithKe AclName [%{fld3}] Ret %{fld4->} SapCtx %{fld5}, SapId %{fld6}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewriteRuleNameWithKe AclName."), + ])); + + var msg40 = msg("STM:39", part40); + + var part41 = match("MESSAGE#40:STM:40", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATReqRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATReqRewritePolicyOn."), + ])); + + var msg41 = msg("STM:40", part41); + + var part42 = match("MESSAGE#41:STM:41", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsOn SapCtx %{fld3}, Return Code %{fld4}", processor_chain([ + dup3, + setc("event_description","STM: aps SetIpsOn."), + ])); + + var msg42 = msg("STM:41", part42); + + var part43 = match("MESSAGE#42:STM:42", "nwparser.payload", "STM: aps-%{fld1->} %{fld2->} SetIpsLimitPolicyOn Return Code %{fld3}", processor_chain([ + dup3, + dup5, + ])); + + var msg43 = msg("STM:42", part43); + + var part44 = match("MESSAGE#43:STM:43", "nwparser.payload", "STM: WATRewr-%{fld1->} %{fld2->} SetWATRespRewritePolicyOn - %{fld6->} Ret %{fld3->} SapCtx %{fld4}, SapId %{fld5}", processor_chain([ + dup3, + setc("event_description","STM: SetWATRespRewritePolicyOn."), + ])); + + var msg44 = msg("STM:43", part44); + + var select2 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + ]); + + var part45 = match("MESSAGE#44:STM_WRAPPER:01", "nwparser.payload", "STM_WRAPPER: command(--digest) execution status = %{info}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: command execution status."), + ])); + + var msg45 = msg("STM_WRAPPER:01", part45); + + var part46 = match("MESSAGE#45:STM_WRAPPER:02", "nwparser.payload", "STM_WRAPPER: [ALERT:%{fld1}] Configuration size is %{fld2->} which exceeds the %{fld3->} safe limit. Please check your configuration.", processor_chain([ + dup6, + setc("event_description","STM_WRAPPER: ALERT Configuration size exceeds the safe memory limit."), + ])); + + var msg46 = msg("STM_WRAPPER:02", part46); + + var part47 = match("MESSAGE#46:STM_WRAPPER:03", "nwparser.payload", "STM_WRAPPER: Committing UI configuration.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Committing UI configuration."), + ])); + + var msg47 = msg("STM_WRAPPER:03", part47); + + var part48 = match("MESSAGE#47:STM_WRAPPER:04", "nwparser.payload", "STM_WRAPPER: Successfully stopped STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully stopped STM."), + ])); + + var msg48 = msg("STM_WRAPPER:04", part48); + + var part49 = match("MESSAGE#48:STM_WRAPPER:05", "nwparser.payload", "STM_WRAPPER: Successfully initialized STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Successfully initialized STM."), + ])); + + var msg49 = msg("STM_WRAPPER:05", part49); + + var part50 = match("MESSAGE#49:STM_WRAPPER:06", "nwparser.payload", "STM_WRAPPER: Initializing STM.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Initializing STM."), + ])); + + var msg50 = msg("STM_WRAPPER:06", part50); + + var part51 = match("MESSAGE#50:STM_WRAPPER:07", "nwparser.payload", "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.%{}", processor_chain([ + dup3, + setc("event_description","STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed."), + ])); + + var msg51 = msg("STM_WRAPPER:07", part51); + + var select3 = linear_select([ + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + ]); + + var part52 = match("MESSAGE#51:CONFIG_AGENT:01", "nwparser.payload", "CONFIG_AGENT: %{fld1->} RPC Name =%{fld2}, RPC Result: %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT: RPC information."), + ])); + + var msg52 = msg("CONFIG_AGENT:01", part52); + + var part53 = match("MESSAGE#52:CONFIG_AGENT:02", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Received put-tree command", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Received put-tree command."), + ])); + + var msg53 = msg("CONFIG_AGENT:02", part53); + + var part54 = match("MESSAGE#53:CONFIG_AGENT:03", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., %{fld3}", processor_chain([ + dup4, + setc("event_description","It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time."), + ])); + + var msg54 = msg("CONFIG_AGENT:03", part54); + + var part55 = match("MESSAGE#54:CONFIG_AGENT:04", "nwparser.payload", "CONFIG_AGENT: %{fld1->} Initiating config_agent database commit phase.", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Initiating config_agent database commit phase."), + ])); + + var msg55 = msg("CONFIG_AGENT:04", part55); + + var part56 = match("MESSAGE#55:CONFIG_AGENT:05", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} Update succeeded", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:Update succeded."), + ])); + + var msg56 = msg("CONFIG_AGENT:05", part56); + + var part57 = match("MESSAGE#56:CONFIG_AGENT:06", "nwparser.payload", "CONFIG_AGENT: %{fld1->} %{fld2->} No rules, %{fld3}", processor_chain([ + dup3, + setc("event_description","CONFIG_AGENT:No rules."), + ])); + + var msg57 = msg("CONFIG_AGENT:06", part57); + + var select4 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + ]); + + var part58 = match("MESSAGE#57:PROCMON:01", "nwparser.payload", "PROCMON: Started monitoring%{}", processor_chain([ + dup3, + setc("event_description","PROCMON: Started monitoring"), + ])); + + var msg58 = msg("PROCMON:01", part58); + + var part59 = match("MESSAGE#58:PROCMON:02", "nwparser.payload", "PROCMON: number of stm worker threads is%{info}", processor_chain([ + dup3, + setc("event_description","PROCMON: number of stm worker threads"), + ])); + + var msg59 = msg("PROCMON:02", part59); + + var part60 = match("MESSAGE#59:PROCMON:03", "nwparser.payload", "PROCMON: Monitoring links: %{interface}", processor_chain([ + dup3, + setc("event_description","PROCMON: Monitoring links."), + ])); + + var msg60 = msg("PROCMON:03", part60); + + var part61 = match("MESSAGE#60:PROCMON:04", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] %{interface}: link is up", processor_chain([ + dup3, + setc("event_description","PROCMON:Link is up."), + ])); + + var msg61 = msg("PROCMON:04", part61); + + var part62 = match("MESSAGE#61:PROCMON:05", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] Firmware storage exceeds %{info}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","PROCMON:Firmware storage exceeding."), + ])); + + var msg62 = msg("PROCMON:05", part62); + + var part63 = match("MESSAGE#62:PROCMON:06", "nwparser.payload", "PROCMON: [ALERT:%{fld1}] One of the RAID arrays is degrading.", processor_chain([ + dup6, + setc("event_description","PROCMON:One of the RAID arrays is degrading."), + ])); + + var msg63 = msg("PROCMON:06", part63); + + var select5 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + ]); + + var part64 = match("MESSAGE#63:BYPASS:01", "nwparser.payload", "BYPASS: State set to normal: starting heartbeat.%{}", processor_chain([ + dup3, + setc("event_description","BYPASS: State set to normal: starting heartbeat."), + ])); + + var msg64 = msg("BYPASS:01", part64); + + var part65 = match("MESSAGE#64:BYPASS:02", "nwparser.payload", "BYPASS: Mode change: %{fld1},%{fld2}", processor_chain([ + dup3, + setc("event_description","Mode change."), + ])); + + var msg65 = msg("BYPASS:02", part65); + + var part66 = match("MESSAGE#65:BYPASS:03", "nwparser.payload", "BYPASS: Mode set to BYPASS (%{fld2}).", processor_chain([ + dup3, + setc("event_description"," Mode set to BYPASS."), + ])); + + var msg66 = msg("BYPASS:03", part66); + + var part67 = match("MESSAGE#66:BYPASS:04", "nwparser.payload", "BYPASS: Mode set to never bypass.%{}", processor_chain([ + dup3, + setc("event_description"," Mode set to never BYPASS."), + ])); + + var msg67 = msg("BYPASS:04", part67); + + var select6 = linear_select([ + msg64, + msg65, + msg66, + msg67, + ]); + + var part68 = match("MESSAGE#67:INSTALL:01", "nwparser.payload", "INSTALL: Migrating configuration from %{fld2->} to %{fld3}", processor_chain([ + dup3, + setc("event_description"," INSTALL: migrating configuration."), + ])); + + var msg68 = msg("INSTALL:01", part68); + + var part69 = match("MESSAGE#68:INSTALL:02", "nwparser.payload", "INSTALL: Loading the snapshot for %{fld2->} release.", processor_chain([ + dup3, + setc("event_description"," INSTALL: Loading snapshot from previous version."), + ])); + + var msg69 = msg("INSTALL:02", part69); + + var select7 = linear_select([ + msg68, + msg69, + ]); + + var part70 = match("MESSAGE#69:eventmgr:01", "nwparser.payload", "eventmgr: Forwarding log messages to syslog host #%{fld3}, address=%{hostip}", processor_chain([ + dup3, + setc("event_description","eventmgr: Forwarding log messages to syslog host"), + ])); + + var msg70 = msg("eventmgr:01", part70); + + var part71 = match("MESSAGE#70:eventmgr:02", "nwparser.payload", "eventmgr: Event manager startup succeeded.%{}", processor_chain([ + dup3, + setc("event_description","eventmgr: Event manager startup succeeded."), + ])); + + var msg71 = msg("eventmgr:02", part71); + + var select8 = linear_select([ + msg70, + msg71, + ]); + + var part72 = match("MESSAGE#71:CONFIG", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + setc("event_description"," Configuration changes made."), + dup8, + ])); + + var msg72 = msg("CONFIG", part72); + + var part73 = match("MESSAGE#72:LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401060000"), + setc("event_description"," Login."), + dup8, + ])); + + var msg73 = msg("LOGIN", part73); + + var part74 = match("MESSAGE#73:SESSION_TIMEOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("event_description"," Session timeout."), + dup8, + ])); + + var msg74 = msg("SESSION_TIMEOUT", part74); + + var part75 = match("MESSAGE#74:LOGOUT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup9, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + setc("ec_theme","Authentication"), + setc("ec_outcome","Success"), + setc("event_description"," Logout."), + dup8, + ])); + + var msg75 = msg("LOGOUT", part75); + + var part76 = match("MESSAGE#75:UNSUCCESSFUL_LOGIN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + setc("eventcategory","1401030000"), + setc("event_description"," Unsuccessful login."), + dup8, + ])); + + var msg76 = msg("UNSUCCESSFUL_LOGIN", part76); + + var part77 = match("MESSAGE#76:TRANSPARENT_MODE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Operating in Transport Mode"), + dup8, + ])); + + var msg77 = msg("TRANSPARENT_MODE", part77); + + var part78 = match("MESSAGE#77:SUPPORT_TUNNEL_OPEN", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Support Tunnel Opened"), + dup8, + ])); + + var msg78 = msg("SUPPORT_TUNNEL_OPEN", part78); + + var part79 = match("MESSAGE#78:FIRMWARE_UPDATE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Update"), + dup8, + ])); + + var msg79 = msg("FIRMWARE_UPDATE", part79); + + var part80 = match("MESSAGE#79:FIRMWARE_REVERT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," Firmware Revert."), + dup8, + ])); + + var msg80 = msg("FIRMWARE_REVERT", part80); + + var part81 = match("MESSAGE#80:REBOOT", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System Reboot."), + dup8, + ])); + + var msg81 = msg("REBOOT", part81); + + var part82 = match("MESSAGE#81:ROLLBACK", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup10, + setc("event_description"," System ROLLBACK."), + dup8, + ])); + + var msg82 = msg("ROLLBACK", part82); + + var part83 = match("MESSAGE#82:HEADER_COUNT_EXCEEDED:01", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} \"[%{result}]\" %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, + ])); + + var msg83 = msg("HEADER_COUNT_EXCEEDED:01", part83); + + var part84 = match("MESSAGE#83:HEADER_COUNT_EXCEEDED:02", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup11, + dup8, + ])); + + var msg84 = msg("HEADER_COUNT_EXCEEDED:02", part84); + + var msg85 = msg("HEADER_COUNT_EXCEEDED", dup26); + + var select9 = linear_select([ + msg83, + msg84, + msg85, + ]); + + var msg86 = msg("CROSS_SITE_SCRIPTING_IN_PARAM:01", dup27); + + var msg87 = msg("CROSS_SITE_SCRIPTING_IN_PARAM", dup26); + + var select10 = linear_select([ + msg86, + msg87, + ]); + + var msg88 = msg("SQL_INJECTION_IN_URL:01", dup27); + + var msg89 = msg("SQL_INJECTION_IN_URL", dup26); + + var select11 = linear_select([ + msg88, + msg89, + ]); + + var msg90 = msg("OS_CMD_INJECTION_IN_URL:01", dup27); + + var msg91 = msg("OS_CMD_INJECTION_IN_URL", dup26); + + var select12 = linear_select([ + msg90, + msg91, + ]); + + var msg92 = msg("TILDE_IN_URL:01", dup27); + + var msg93 = msg("TILDE_IN_URL", dup26); + + var select13 = linear_select([ + msg92, + msg93, + ]); + + var msg94 = msg("SQL_INJECTION_IN_PARAM:01", dup27); + + var msg95 = msg("SQL_INJECTION_IN_PARAM", dup26); + + var select14 = linear_select([ + msg94, + msg95, + ]); + + var part85 = match("MESSAGE#95:OS_CMD_INJECTION_IN_PARAM:01/1_1", "nwparser.p0", "[%{result->} \"] %{p0}"); + + var select15 = linear_select([ + dup13, + part85, + dup14, + ]); + + var all1 = all_match({ + processors: [ + dup12, + select15, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var msg96 = msg("OS_CMD_INJECTION_IN_PARAM:01", all1); + + var msg97 = msg("OS_CMD_INJECTION_IN_PARAM", dup26); + + var select16 = linear_select([ + msg96, + msg97, + ]); + + var msg98 = msg("METHOD_NOT_ALLOWED:01", dup27); + + var msg99 = msg("METHOD_NOT_ALLOWED", dup26); + + var select17 = linear_select([ + msg98, + msg99, + ]); + + var msg100 = msg("ERROR_RESPONSE_SUPPRESSED:01", dup27); + + var msg101 = msg("ERROR_RESPONSE_SUPPRESSED", dup26); + + var select18 = linear_select([ + msg100, + msg101, + ]); + + var msg102 = msg("DENY_ACL_MATCHED:01", dup27); + + var msg103 = msg("DENY_ACL_MATCHED", dup26); + + var select19 = linear_select([ + msg102, + msg103, + ]); + + var msg104 = msg("NO_DOMAIN_MATCH_IN_PROFILE", dup24); + + var msg105 = msg("NO_URL_PROFILE_MATCH", dup24); + + var msg106 = msg("UNRECOGNIZED_COOKIE", dup24); + + var msg107 = msg("HEADER_VALUE_LENGTH_EXCEEDED", dup24); + + var msg108 = msg("UNKNOWN_CONTENT_TYPE", dup24); + + var msg109 = msg("INVALID_URL_ENCODING", dup24); + + var msg110 = msg("INVALID_URL_CHARSET", dup24); + + var msg111 = msg("CROSS_SITE_SCRIPTING_IN_URL:01", dup27); + + var msg112 = msg("CROSS_SITE_SCRIPTING_IN_URL", dup26); + + var select20 = linear_select([ + msg111, + msg112, + ]); + + var msg113 = msg("SLASH_DOT_IN_URL:01", dup27); + + var msg114 = msg("SLASH_DOT_IN_URL", dup26); + + var select21 = linear_select([ + msg113, + msg114, + ]); + + var part86 = match("MESSAGE#114:SYS", "nwparser.payload", "%{fld9->} %{fld10->} %{timezone->} %{fld11->} %{category->} %{event_type->} %{severity->} %{operation_id->} %{event_description}", processor_chain([ + dup3, + date_time({ + dest: "event_time", + args: ["hfld9","hfld10"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ])); + + var msg115 = msg("SYS", part86); + + var part87 = match("MESSAGE#115:BARRACUDAWAF", "nwparser.payload", "Log=%{event_log->} Severity=%{severity->} Protocol=%{protocol->} SourceIP=%{saddr->} SourcePort=%{sport->} DestIP=%{daddr->} DestPort=%{dport->} Action=%{action->} AdminName=%{administrator->} Details=%{info}", processor_chain([ + dup17, + date_time({ + dest: "event_time", + args: ["hfld1","hfld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ])); + + var msg116 = msg("BARRACUDAWAF", part87); + + var part88 = match("MESSAGE#116:Audit_Logs", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} AUDIT %{operation_id->} %{administrator->} %{action->} %{content_type->} %{hostip->} %{fld8->} %{info->} %{obj_type->} %{fld11->} %{obj_name->} \"%{change_old}\" \"%{change_new}\"", processor_chain([ + dup7, + dup8, + setc("category","AUDIT"), + setc("vid","Audit_Logs"), + ])); + + var msg117 = msg("Audit_Logs", part88); + + var part89 = match("MESSAGE#117:WF", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} WF %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + setc("category","WF"), + setc("vid","WF"), + ])); + + var msg118 = msg("WF", part89); + + var part90 = match("MESSAGE#118:TR_Logs:01/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all2 = all_match({ + processors: [ + part90, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg119 = msg("TR_Logs:01", all2); + + var part91 = match("MESSAGE#119:TR_Logs:02/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} \"-\" \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all3 = all_match({ + processors: [ + part91, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg120 = msg("TR_Logs:02", all3); + + var part92 = match("MESSAGE#120:TR_Logs:03/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} \"-\" %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all4 = all_match({ + processors: [ + part92, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg121 = msg("TR_Logs:03", all4); + + var part93 = match("MESSAGE#121:TR_Logs/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} TR %{operation_id->} %{protocol->} %{web_method->} %{saddr->} %{sport->} %{daddr->} %{dport->} %{url->} %{cert_username->} %{logon_id->} %{web_host->} %{web_referer->} %{resultcode->} %{sbytes->} %{rbytes->} %{web_query->} %{web_cookie->} \"%{user_agent}\" %{stransaddr->} %{p0}"); + + var all5 = all_match({ + processors: [ + part93, + dup25, + ], + on_success: processor_chain([ + dup17, + dup20, + dup8, + dup21, + dup22, + ]), + }); + + var msg122 = msg("TR_Logs", all5); + + var select22 = linear_select([ + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "BARRACUDAWAF": msg116, + "BARRACUDA_GENRIC": select22, + "BYPASS": select6, + "CONFIG": msg72, + "CONFIG_AGENT": select4, + "CROSS_SITE_SCRIPTING_IN_PARAM": select10, + "CROSS_SITE_SCRIPTING_IN_URL": select20, + "DENY_ACL_MATCHED": select19, + "ERROR_RESPONSE_SUPPRESSED": select18, + "FIRMWARE_REVERT": msg80, + "FIRMWARE_UPDATE": msg79, + "HEADER_COUNT_EXCEEDED": select9, + "HEADER_VALUE_LENGTH_EXCEEDED": msg107, + "INSTALL": select7, + "INVALID_URL_CHARSET": msg110, + "INVALID_URL_ENCODING": msg109, + "LOGIN": msg73, + "LOGOUT": msg75, + "METHOD_NOT_ALLOWED": select17, + "NO_DOMAIN_MATCH_IN_PROFILE": msg104, + "NO_URL_PROFILE_MATCH": msg105, + "OS_CMD_INJECTION_IN_PARAM": select16, + "OS_CMD_INJECTION_IN_URL": select12, + "PROCMON": select5, + "REBOOT": msg81, + "ROLLBACK": msg82, + "SESSION_TIMEOUT": msg74, + "SLASH_DOT_IN_URL": select21, + "SQL_INJECTION_IN_PARAM": select14, + "SQL_INJECTION_IN_URL": select11, + "STM": select2, + "STM_WRAPPER": select3, + "SUPPORT_TUNNEL_OPEN": msg78, + "SYS": msg115, + "TILDE_IN_URL": select13, + "TRANSPARENT_MODE": msg77, + "UNKNOWN_CONTENT_TYPE": msg108, + "UNRECOGNIZED_COOKIE": msg106, + "UNSUCCESSFUL_LOGIN": msg76, + "UPDATE": msg1, + "eventmgr": select8, + }), + ]); + + var part94 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/0", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} %{p0}"); + + var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{result}]\" %{p0}"); + + var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); + + var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); + + var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); + + var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); + + var part100 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); + + var select23 = linear_select([ + dup13, + dup14, + ]); + + var part101 = match("MESSAGE#103:NO_DOMAIN_MATCH_IN_PROFILE", "nwparser.payload", "%{fld88->} %{fld89->} %{timezone->} %{category->} %{operation_id->} %{severity->} %{event_type->} %{saddr->} %{sport->} %{rulename->} %{rule_group->} %{action->} %{context->} [%{result}] %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}", processor_chain([ + dup17, + dup8, + ])); + + var select24 = linear_select([ + dup18, + dup19, + ]); + + var all6 = all_match({ + processors: [ + dup12, + dup23, + dup15, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + + var all7 = all_match({ + processors: [ + dup12, + dup23, + dup16, + ], + on_success: processor_chain([ + dup11, + dup8, + ]), + }); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/barracuda/0.11.2/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/barracuda/0.11.2/data_stream/waf/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..87930822b8 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for Barracuda Web Application Firewall + +processors: + - set: + field: ecs.version + value: '8.4.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/barracuda/0.11.2/data_stream/waf/fields/base-fields.yml b/packages/barracuda/0.11.2/data_stream/waf/fields/base-fields.yml new file mode 100755 index 0000000000..d0d9b118b1 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: barracuda +- name: event.dataset + type: constant_keyword + description: Event dataset + value: barracuda.waf +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/barracuda/0.11.2/data_stream/waf/fields/ecs.yml b/packages/barracuda/0.11.2/data_stream/waf/fields/ecs.yml new file mode 100755 index 0000000000..f7e5c95752 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/fields/ecs.yml @@ -0,0 +1,547 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/barracuda/0.11.2/data_stream/waf/fields/fields.yml b/packages/barracuda/0.11.2/data_stream/waf/fields/fields.yml new file mode 100755 index 0000000000..fc0f1ba52a --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain +- name: network.interface.name + type: keyword diff --git a/packages/barracuda/0.11.2/data_stream/waf/manifest.yml b/packages/barracuda/0.11.2/data_stream/waf/manifest.yml new file mode 100755 index 0000000000..be441842c5 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/manifest.yml @@ -0,0 +1,204 @@ +title: Barracuda Web Application Firewall logs +release: experimental +type: logs +streams: + - input: udp + title: Barracuda Web Application Firewall logs + description: Collect Barracuda Web Application Firewall logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - barracuda-waf + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9525 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Barracuda Web Application Firewall logs + description: Collect Barracuda Web Application Firewall logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - barracuda-waf + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9525 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Barracuda Web Application Firewall logs + description: Collect Barracuda Web Application Firewall logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/barracuda-waf.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - barracuda-waf + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/barracuda/0.11.2/data_stream/waf/sample_event.json b/packages/barracuda/0.11.2/data_stream/waf/sample_event.json new file mode 100755 index 0000000000..4723713877 --- /dev/null +++ b/packages/barracuda/0.11.2/data_stream/waf/sample_event.json @@ -0,0 +1,53 @@ +{ + "@timestamp": "2022-01-25T12:00:38.364Z", + "agent": { + "ephemeral_id": "f9365b74-9e00-44e2-b49b-79fc41661db1", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "barracuda.waf", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "code": "PROCMON", + "dataset": "barracuda.waf", + "ingested": "2022-01-25T12:00:39Z", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:60254" + } + }, + "observer": { + "product": "Web", + "type": "WAF", + "vendor": "Barracuda" + }, + "rsa": { + "internal": { + "event_desc": "PROCMON: Started monitoring", + "messageid": "PROCMON" + } + }, + "tags": [ + "barracuda-waf", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/barracuda/0.11.2/docs/README.md b/packages/barracuda/0.11.2/docs/README.md new file mode 100755 index 0000000000..033ec587a1 --- /dev/null +++ b/packages/barracuda/0.11.2/docs/README.md @@ -0,0 +1,1587 @@ +# Barracuda integration + +This integration is for Barracuda device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `waf` dataset: supports Barracuda Web Application Firewall logs. +- `spamfirewall` dataset: supports Barracuda Spam Firewall logs. + +### Waf + +The `waf` dataset collects Barracuda Web Application Firewall logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + +### Spamfirewall + +The `spamfirewall` dataset collects Barracuda Spam Firewall logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/barracuda/0.11.2/img/logo.svg b/packages/barracuda/0.11.2/img/logo.svg new file mode 100755 index 0000000000..555cdd6f8a --- /dev/null +++ b/packages/barracuda/0.11.2/img/logo.svg @@ -0,0 +1,100 @@ + + + + + + + + + diff --git a/packages/barracuda/0.11.2/manifest.yml b/packages/barracuda/0.11.2/manifest.yml new file mode 100755 index 0000000000..c1f07e10ca --- /dev/null +++ b/packages/barracuda/0.11.2/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: barracuda +title: Barracuda Logs +version: "0.11.2" +description: Collect spam and web application firewall logs from Barracuda devices with Elastic Agent. +categories: ["network", "security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: barracuda + title: Barracuda logs + description: Collect Barracuda logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Barracuda via UDP + description: Collecting syslog from Barracuda via UDP + - type: tcp + title: Collect logs from Barracuda via TCP + description: Collecting syslog from Barracuda via TCP + - type: logfile + title: Collect logs from Barracuda via file + description: Collecting syslog from Barracuda via file. +icons: + - src: /img/logo.svg + title: Barracuda logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/bluecoat/0.10.2/LICENSE.txt b/packages/bluecoat/0.10.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/bluecoat/0.10.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/bluecoat/0.10.2/changelog.yml b/packages/bluecoat/0.10.2/changelog.yml new file mode 100755 index 0000000000..0d63a4b6af --- /dev/null +++ b/packages/bluecoat/0.10.2/changelog.yml @@ -0,0 +1,106 @@ +# newer versions go on top +- version: "0.10.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "0.10.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "0.10.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3841 +- version: "0.9.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.8.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "0.7.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2576 +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2247 +- version: "0.5.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2019 +- version: "0.5.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1948 +- version: "0.5.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1800 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1650 +- version: "0.4.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.4.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1468 +- version: '0.4.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1374 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1254 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0, add event.original options, and preparing for fleet GA. + type: enhancement + link: https://github.com/elastic/integrations/pull/1072 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/837 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/bluecoat/0.10.2/data_stream/director/agent/stream/stream.yml.hbs b/packages/bluecoat/0.10.2/data_stream/director/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..a2c0ac844f --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/agent/stream/stream.yml.hbs @@ -0,0 +1,3817 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Bluecoat" + product: "Director" + type: "Configuration" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i %{username}@%{p0}"); + + var dup3 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); + + var dup4 = setc("eventcategory","1605000000"); + + var dup5 = setf("msg","$MSG"); + + var dup6 = setc("event_description","bad variable"); + + var dup7 = setc("event_description","This file is automatically generated"); + + var dup8 = setc("eventcategory","1603000000"); + + var dup9 = setc("event_description","authentication failure"); + + var dup10 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup4, + dup5, + dup6, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld5"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command: %{p0}"); + + var part2 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{domain->} : Processing command: %{p0}"); + + var select2 = linear_select([ + part1, + part2, + ]); + + var all1 = all_match({ + processors: [ + dup2, + select2, + dup3, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg1 = msg("cli", all1); + + var part3 = match("MESSAGE#1:cli:01/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command %{p0}"); + + var part4 = match("MESSAGE#1:cli:01/1_1", "nwparser.p0", "%{domain->} : Processing command %{p0}"); + + var select3 = linear_select([ + part3, + part4, + ]); + + var all2 = all_match({ + processors: [ + dup2, + select3, + dup3, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg2 = msg("cli:01", all2); + + var part5 = match("MESSAGE#2:cli:02/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving config mode"); + + var part6 = match("MESSAGE#2:cli:02/1_1", "nwparser.p0", "%{domain->} : Leaving config mode"); + + var select4 = linear_select([ + part5, + part6, + ]); + + var all3 = all_match({ + processors: [ + dup2, + select4, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Leaving config mode"), + ]), + }); + + var msg3 = msg("cli:02", all3); + + var part7 = match("MESSAGE#3:cli:03/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering config mode"); + + var part8 = match("MESSAGE#3:cli:03/1_1", "nwparser.p0", "%{domain->} : Entering config mode"); + + var select5 = linear_select([ + part7, + part8, + ]); + + var all4 = all_match({ + processors: [ + dup2, + select5, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Entering config mode"), + ]), + }); + + var msg4 = msg("cli:03", all4); + + var part9 = match("MESSAGE#4:cli:04/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI exiting"); + + var part10 = match("MESSAGE#4:cli:04/1_1", "nwparser.p0", "%{domain->} : CLI exiting"); + + var select6 = linear_select([ + part9, + part10, + ]); + + var all5 = all_match({ + processors: [ + dup2, + select6, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","CLI exiting"), + ]), + }); + + var msg5 = msg("cli:04", all5); + + var part11 = match("MESSAGE#5:cli:05/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI launched"); + + var part12 = match("MESSAGE#5:cli:05/1_1", "nwparser.p0", "%{domain->} : CLI launched"); + + var select7 = linear_select([ + part11, + part12, + ]); + + var all6 = all_match({ + processors: [ + dup2, + select7, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","CLI launched"), + ]), + }); + + var msg6 = msg("cli:05", all6); + + var part13 = match("MESSAGE#6:Automatically/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Automatically logged out due to keyboard inactivity."); + + var part14 = match("MESSAGE#6:Automatically/1_1", "nwparser.p0", "%{domain->} : Automatically logged out due to keyboard inactivity."); + + var select8 = linear_select([ + part13, + part14, + ]); + + var all7 = all_match({ + processors: [ + dup2, + select8, + ], + on_success: processor_chain([ + dup4, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + dup5, + setc("event_description","Automatically logged out due to keyboard inactivity"), + ]), + }); + + var msg7 = msg("Automatically", all7); + + var part15 = match("MESSAGE#7:cli:06/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering enable mode"); + + var part16 = match("MESSAGE#7:cli:06/1_1", "nwparser.p0", "%{domain->} : Entering enable mode"); + + var select9 = linear_select([ + part15, + part16, + ]); + + var all8 = all_match({ + processors: [ + dup2, + select9, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Entering enable mode"), + ]), + }); + + var msg8 = msg("cli:06", all8); + + var part17 = match("MESSAGE#8:cli:07/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving enable mode"); + + var part18 = match("MESSAGE#8:cli:07/1_1", "nwparser.p0", "%{domain->} : Leaving enable mode"); + + var select10 = linear_select([ + part17, + part18, + ]); + + var all9 = all_match({ + processors: [ + dup2, + select10, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Leaving enable mode"), + ]), + }); + + var msg9 = msg("cli:07", all9); + + var part19 = match("MESSAGE#9:Processing/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing a secure command..."); + + var part20 = match("MESSAGE#9:Processing/1_1", "nwparser.p0", "%{domain->} : Processing a secure command..."); + + var select11 = linear_select([ + part19, + part20, + ]); + + var all10 = all_match({ + processors: [ + dup2, + select11, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Processing a secure command"), + ]), + }); + + var msg10 = msg("Processing", all10); + + var msg11 = msg("cli:pam", dup10); + + var select12 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + ]); + + var part21 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup4, + dup5, + ])); + + var msg12 = msg("schedulerd", part21); + + var part22 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup4, + dup5, + setc("event_description","System time changed, recomputing job run times"), + ])); + + var msg13 = msg("schedulerd:01", part22); + + var select13 = linear_select([ + msg12, + msg13, + ]); + + var part23 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup4, + dup5, + ])); + + var msg14 = msg("configd:Rotating", part23); + + var part24 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg15 = msg("configd:Deleting", part24); + + var part25 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup4, + dup5, + ])); + + var msg16 = msg("configd", part25); + + var part26 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg17 = msg("configd:01", part26); + + var part27 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg18 = msg("configd:11", part27); + + var part28 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, + dup5, + dup7, + ])); + + var msg19 = msg("file", part28); + + var part29 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg20 = msg("configd:02", part29); + + var part30 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg21 = msg("configd:22", part30); + + var part31 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg22 = msg("configd:03", part31); + + var part32 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg23 = msg("configd:33", part32); + + var part33 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup4, + dup5, + setc("event_description","Backup import command finished for all devices"), + ])); + + var msg24 = msg("Backup", part33); + + var part34 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup4, + dup5, + setc("event_description","Beginning to make backup of cache"), + ])); + + var msg25 = msg("Beginning", part34); + + var part35 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup4, + dup5, + setc("event_description","Inputting overlay"), + ])); + + var msg26 = msg("Inputting", part35); + + var part36 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg27 = msg("Saved", part36); + + var part37 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg28 = msg("Importing", part37); + + var part38 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg29 = msg("Overlay", part38); + + var part39 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg30 = msg("Executed", part39); + + var part40 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup4, + dup5, + setc("event_description","Configuration system online"), + ])); + + var msg31 = msg("Configuration", part40); + + var part41 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","Table creation"), + ])); + + var msg32 = msg("Create", part41); + + var part42 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup4, + dup5, + setc("event_description","Loaded config file initial"), + ])); + + var msg33 = msg("Loaded", part42); + + var part43 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","Setting set-reply timeout"), + ])); + + var msg34 = msg("Setting", part43); + + var part44 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg35 = msg("CCD", part44); + + var part45 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup4, + dup5, + ])); + + var msg36 = msg("Device", part45); + + var part46 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup4, + dup5, + ])); + + var msg37 = msg("Output", part46); + + var part47 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg38 = msg("ssh", part47); + + var part48 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup4, + dup5, + setc("event_description","Applying overlay to group"), + ])); + + var msg39 = msg("Applying", part48); + + var part49 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup4, + dup5, + setc("event_description","Applying overlay to cache"), + ])); + + var msg40 = msg("Applying:01", part49); + + var part50 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","Backup complete for device"), + ])); + + var msg41 = msg("configd:backup", part50); + + var part51 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, + dup5, + dup7, + ])); + + var msg42 = msg("file:01", part51); + + var part52 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup4, + dup5, + setc("event_description","Connection reset by peer"), + ])); + + var msg43 = msg("configd:connection", part52); + + var part53 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ + dup4, + dup5, + setc("event_description","cd session read failed"), + ])); + + var msg44 = msg("configd:failed", part53); + + var select14 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + ]); + + var part54 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup4, + dup5, + setc("event_description","Querying content system for job results"), + ])); + + var msg45 = msg("poller", part54); + + var part55 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg46 = msg("heartbeat", part55); + + var part56 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg47 = msg("heartbeat:01", part56); + + var part57 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup4, + dup5, + setc("event_description","director heartbeat client exiting"), + ])); + + var msg48 = msg("heartbeat:02", part57); + + var part58 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup4, + dup5, + setc("event_description","director heartbeat client launched"), + ])); + + var msg49 = msg("heartbeat:03", part58); + + var part59 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","undefined symbol"), + ])); + + var msg50 = msg("heartbeat:crit1", part59); + + var part60 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","No such file or directory"), + ])); + + var msg51 = msg("heartbeat:crit2", part60); + + var select15 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + ]); + + var part61 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup4, + dup5, + ])); + + var msg52 = msg("runner", part61); + + var part62 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg53 = msg("runner:01", part62); + + var part63 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ + dup4, + dup5, + ])); + + var msg54 = msg("runner:02", part63); + + var part64 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg55 = msg("runner:crit1", part64); + + var part65 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup4, + dup5, + setc("event_description","File reading failed"), + ])); + + var msg56 = msg("runner:crit2", part65); + + var select16 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + ]); + + var part66 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ + dup4, + dup5, + ])); + + var msg57 = msg("ccd", part66); + + var part67 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup4, + dup5, + ])); + + var msg58 = msg("ccd:01", part67); + + var part68 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup4, + dup5, + ])); + + var msg59 = msg("ccd:03", part68); + + var part69 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup4, + dup5, + ])); + + var msg60 = msg("ccd:04", part69); + + var part70 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","info on device connection"), + ])); + + var msg61 = msg("ccd:02", part70); + + var part71 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","write to ssh pipe"), + ])); + + var msg62 = msg("ccd:05", part71); + + var part72 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","ccd handle read failure"), + ])); + + var msg63 = msg("ccd:06", part72); + + var part73 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup4, + dup5, + setc("event_description","device communication daemon online"), + ])); + + var msg64 = msg("ccd:07", part73); + + var part74 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","system memory size"), + ])); + + var msg65 = msg("ccd:08", part74); + + var select17 = linear_select([ + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + ]); + + var part75 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ + dup8, + dup5, + ])); + + var msg66 = msg("sshd", part75); + + var part76 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","bad username"), + ])); + + var msg67 = msg("sshd:01", part76); + + var part77 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup4, + dup5, + dup9, + ])); + + var msg68 = msg("sshd:02", part77); + + var part78 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup4, + dup5, + setc("event_description","check pass, user unknown"), + ])); + + var msg69 = msg("sshd:03", part78); + + var part79 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ + dup4, + dup5, + dup9, + ])); + + var msg70 = msg("sshd:04", part79); + + var msg71 = msg("sshd:pam", dup10); + + var select18 = linear_select([ + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + ]); + + var part80 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ + dup4, + dup5, + ])); + + var msg72 = msg("dmd", part80); + + var part81 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg73 = msg("dmd:01", part81); + + var part82 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg74 = msg("dmd:11", part82); + + var part83 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg75 = msg("dmd:02", part83); + + var part84 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup8, + dup5, + ])); + + var msg76 = msg("dmd:03", part84); + + var select19 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + ]); + + var part85 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ALERT exited abnormally"), + ])); + + var msg77 = msg("logrotate", part85); + + var part86 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","kernel time sync enabled"), + ])); + + var msg78 = msg("ntpd", part86); + + var part87 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","time reset"), + ])); + + var msg79 = msg("ntpd:01", part87); + + var part88 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup4, + dup5, + ])); + + var msg80 = msg("ntpd:02", part88); + + var part89 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd exiting on signal"), + ])); + + var msg81 = msg("ntpd:03", part89); + + var select20 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part90 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd will start in few secs"), + ])); + + var msg82 = msg("pm", part90); + + var part91 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd started"), + ])); + + var msg83 = msg("pm:01", part91); + + var part92 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","print message"), + ])); + + var msg84 = msg("pm:02", part92); + + var part93 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ + dup4, + dup5, + setc("event_description","service started"), + ])); + + var msg85 = msg("pm:03", part93); + + var part94 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","service will start"), + ])); + + var msg86 = msg("pm:04", part94); + + var part95 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","check license validity"), + ])); + + var msg87 = msg("pm:05", part95); + + var part96 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup4, + dup5, + setc("event_description","connected to config daemon"), + ])); + + var msg88 = msg("pm:06", part96); + + var select21 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + ]); + + var part97 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","updated timestamp"), + ])); + + var msg89 = msg("anacron", part97); + + var part98 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","anacron started"), + ])); + + var msg90 = msg("anacron:01", part98); + + var part99 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","normal exit"), + ])); + + var msg91 = msg("anacron:02", part99); + + var select22 = linear_select([ + msg89, + msg90, + msg91, + ]); + + var part100 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup4, + dup5, + setc("event_description","invalid packet size"), + ])); + + var msg92 = msg("epmd", part100); + + var part101 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup4, + dup5, + ])); + + var msg93 = msg("epmd:01", part101); + + var part102 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup4, + dup5, + ])); + + var msg94 = msg("epmd:02", part102); + + var select23 = linear_select([ + msg92, + msg93, + msg94, + ]); + + var part103 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg95 = msg("xinetd", part103); + + var part104 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ + dup4, + dup5, + ])); + + var msg96 = msg("xinetd:01", part104); + + var select24 = linear_select([ + msg95, + msg96, + ]); + + var part105 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup4, + dup5, + setc("event_description","Audit daemon rotating log files"), + ])); + + var msg97 = msg("auditd", part105); + + var part106 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","Reset file"), + ])); + + var msg98 = msg("restorecond", part106); + + var part107 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","handle authd unknown message"), + ])); + + var msg99 = msg("authd", part107); + + var part108 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","authd signal handler"), + ])); + + var msg100 = msg("authd:01", part108); + + var part109 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","authd close"), + ])); + + var msg101 = msg("authd:02", part109); + + var select25 = linear_select([ + msg99, + msg100, + msg101, + ]); + + var part110 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); + + var part111 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); + + var part112 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); + + var select26 = linear_select([ + part111, + part112, + ]); + + var part113 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); + + var all11 = all_match({ + processors: [ + part110, + select26, + part113, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg102 = msg("rsyslogd", all11); + + var part114 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","shutting down"), + ])); + + var msg103 = msg("shutdown", part114); + + var part115 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","cmd starting"), + ])); + + var msg104 = msg("cmd", part115); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "anacron": select22, + "auditd": msg97, + "authd": select25, + "ccd": select17, + "cli": select12, + "cmd": msg104, + "configd": select14, + "dmd": select19, + "epmd": select23, + "heartbeat": select15, + "logrotate": msg77, + "ntpd": select20, + "pm": select21, + "poller": msg45, + "restorecond": msg98, + "rsyslogd": msg102, + "runner": select16, + "schedulerd": select13, + "shutdown": msg103, + "sshd": select18, + "xinetd": select24, + }), + ]); + + var part116 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{username}@%{p0}"); + + var part117 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); + + var part118 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup4, + dup5, + dup6, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/bluecoat/0.10.2/data_stream/director/agent/stream/tcp.yml.hbs b/packages/bluecoat/0.10.2/data_stream/director/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..07518aa8be --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/agent/stream/tcp.yml.hbs @@ -0,0 +1,3814 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Bluecoat" + product: "Director" + type: "Configuration" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i %{username}@%{p0}"); + + var dup3 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); + + var dup4 = setc("eventcategory","1605000000"); + + var dup5 = setf("msg","$MSG"); + + var dup6 = setc("event_description","bad variable"); + + var dup7 = setc("event_description","This file is automatically generated"); + + var dup8 = setc("eventcategory","1603000000"); + + var dup9 = setc("event_description","authentication failure"); + + var dup10 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup4, + dup5, + dup6, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld5"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command: %{p0}"); + + var part2 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{domain->} : Processing command: %{p0}"); + + var select2 = linear_select([ + part1, + part2, + ]); + + var all1 = all_match({ + processors: [ + dup2, + select2, + dup3, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg1 = msg("cli", all1); + + var part3 = match("MESSAGE#1:cli:01/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command %{p0}"); + + var part4 = match("MESSAGE#1:cli:01/1_1", "nwparser.p0", "%{domain->} : Processing command %{p0}"); + + var select3 = linear_select([ + part3, + part4, + ]); + + var all2 = all_match({ + processors: [ + dup2, + select3, + dup3, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg2 = msg("cli:01", all2); + + var part5 = match("MESSAGE#2:cli:02/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving config mode"); + + var part6 = match("MESSAGE#2:cli:02/1_1", "nwparser.p0", "%{domain->} : Leaving config mode"); + + var select4 = linear_select([ + part5, + part6, + ]); + + var all3 = all_match({ + processors: [ + dup2, + select4, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Leaving config mode"), + ]), + }); + + var msg3 = msg("cli:02", all3); + + var part7 = match("MESSAGE#3:cli:03/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering config mode"); + + var part8 = match("MESSAGE#3:cli:03/1_1", "nwparser.p0", "%{domain->} : Entering config mode"); + + var select5 = linear_select([ + part7, + part8, + ]); + + var all4 = all_match({ + processors: [ + dup2, + select5, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Entering config mode"), + ]), + }); + + var msg4 = msg("cli:03", all4); + + var part9 = match("MESSAGE#4:cli:04/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI exiting"); + + var part10 = match("MESSAGE#4:cli:04/1_1", "nwparser.p0", "%{domain->} : CLI exiting"); + + var select6 = linear_select([ + part9, + part10, + ]); + + var all5 = all_match({ + processors: [ + dup2, + select6, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","CLI exiting"), + ]), + }); + + var msg5 = msg("cli:04", all5); + + var part11 = match("MESSAGE#5:cli:05/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI launched"); + + var part12 = match("MESSAGE#5:cli:05/1_1", "nwparser.p0", "%{domain->} : CLI launched"); + + var select7 = linear_select([ + part11, + part12, + ]); + + var all6 = all_match({ + processors: [ + dup2, + select7, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","CLI launched"), + ]), + }); + + var msg6 = msg("cli:05", all6); + + var part13 = match("MESSAGE#6:Automatically/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Automatically logged out due to keyboard inactivity."); + + var part14 = match("MESSAGE#6:Automatically/1_1", "nwparser.p0", "%{domain->} : Automatically logged out due to keyboard inactivity."); + + var select8 = linear_select([ + part13, + part14, + ]); + + var all7 = all_match({ + processors: [ + dup2, + select8, + ], + on_success: processor_chain([ + dup4, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + dup5, + setc("event_description","Automatically logged out due to keyboard inactivity"), + ]), + }); + + var msg7 = msg("Automatically", all7); + + var part15 = match("MESSAGE#7:cli:06/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering enable mode"); + + var part16 = match("MESSAGE#7:cli:06/1_1", "nwparser.p0", "%{domain->} : Entering enable mode"); + + var select9 = linear_select([ + part15, + part16, + ]); + + var all8 = all_match({ + processors: [ + dup2, + select9, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Entering enable mode"), + ]), + }); + + var msg8 = msg("cli:06", all8); + + var part17 = match("MESSAGE#8:cli:07/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving enable mode"); + + var part18 = match("MESSAGE#8:cli:07/1_1", "nwparser.p0", "%{domain->} : Leaving enable mode"); + + var select10 = linear_select([ + part17, + part18, + ]); + + var all9 = all_match({ + processors: [ + dup2, + select10, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Leaving enable mode"), + ]), + }); + + var msg9 = msg("cli:07", all9); + + var part19 = match("MESSAGE#9:Processing/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing a secure command..."); + + var part20 = match("MESSAGE#9:Processing/1_1", "nwparser.p0", "%{domain->} : Processing a secure command..."); + + var select11 = linear_select([ + part19, + part20, + ]); + + var all10 = all_match({ + processors: [ + dup2, + select11, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Processing a secure command"), + ]), + }); + + var msg10 = msg("Processing", all10); + + var msg11 = msg("cli:pam", dup10); + + var select12 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + ]); + + var part21 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup4, + dup5, + ])); + + var msg12 = msg("schedulerd", part21); + + var part22 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup4, + dup5, + setc("event_description","System time changed, recomputing job run times"), + ])); + + var msg13 = msg("schedulerd:01", part22); + + var select13 = linear_select([ + msg12, + msg13, + ]); + + var part23 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup4, + dup5, + ])); + + var msg14 = msg("configd:Rotating", part23); + + var part24 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg15 = msg("configd:Deleting", part24); + + var part25 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup4, + dup5, + ])); + + var msg16 = msg("configd", part25); + + var part26 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg17 = msg("configd:01", part26); + + var part27 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg18 = msg("configd:11", part27); + + var part28 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, + dup5, + dup7, + ])); + + var msg19 = msg("file", part28); + + var part29 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg20 = msg("configd:02", part29); + + var part30 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg21 = msg("configd:22", part30); + + var part31 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg22 = msg("configd:03", part31); + + var part32 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg23 = msg("configd:33", part32); + + var part33 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup4, + dup5, + setc("event_description","Backup import command finished for all devices"), + ])); + + var msg24 = msg("Backup", part33); + + var part34 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup4, + dup5, + setc("event_description","Beginning to make backup of cache"), + ])); + + var msg25 = msg("Beginning", part34); + + var part35 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup4, + dup5, + setc("event_description","Inputting overlay"), + ])); + + var msg26 = msg("Inputting", part35); + + var part36 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg27 = msg("Saved", part36); + + var part37 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg28 = msg("Importing", part37); + + var part38 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg29 = msg("Overlay", part38); + + var part39 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg30 = msg("Executed", part39); + + var part40 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup4, + dup5, + setc("event_description","Configuration system online"), + ])); + + var msg31 = msg("Configuration", part40); + + var part41 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","Table creation"), + ])); + + var msg32 = msg("Create", part41); + + var part42 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup4, + dup5, + setc("event_description","Loaded config file initial"), + ])); + + var msg33 = msg("Loaded", part42); + + var part43 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","Setting set-reply timeout"), + ])); + + var msg34 = msg("Setting", part43); + + var part44 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg35 = msg("CCD", part44); + + var part45 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup4, + dup5, + ])); + + var msg36 = msg("Device", part45); + + var part46 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup4, + dup5, + ])); + + var msg37 = msg("Output", part46); + + var part47 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg38 = msg("ssh", part47); + + var part48 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup4, + dup5, + setc("event_description","Applying overlay to group"), + ])); + + var msg39 = msg("Applying", part48); + + var part49 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup4, + dup5, + setc("event_description","Applying overlay to cache"), + ])); + + var msg40 = msg("Applying:01", part49); + + var part50 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","Backup complete for device"), + ])); + + var msg41 = msg("configd:backup", part50); + + var part51 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, + dup5, + dup7, + ])); + + var msg42 = msg("file:01", part51); + + var part52 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup4, + dup5, + setc("event_description","Connection reset by peer"), + ])); + + var msg43 = msg("configd:connection", part52); + + var part53 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ + dup4, + dup5, + setc("event_description","cd session read failed"), + ])); + + var msg44 = msg("configd:failed", part53); + + var select14 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + ]); + + var part54 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup4, + dup5, + setc("event_description","Querying content system for job results"), + ])); + + var msg45 = msg("poller", part54); + + var part55 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg46 = msg("heartbeat", part55); + + var part56 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg47 = msg("heartbeat:01", part56); + + var part57 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup4, + dup5, + setc("event_description","director heartbeat client exiting"), + ])); + + var msg48 = msg("heartbeat:02", part57); + + var part58 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup4, + dup5, + setc("event_description","director heartbeat client launched"), + ])); + + var msg49 = msg("heartbeat:03", part58); + + var part59 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","undefined symbol"), + ])); + + var msg50 = msg("heartbeat:crit1", part59); + + var part60 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","No such file or directory"), + ])); + + var msg51 = msg("heartbeat:crit2", part60); + + var select15 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + ]); + + var part61 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup4, + dup5, + ])); + + var msg52 = msg("runner", part61); + + var part62 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg53 = msg("runner:01", part62); + + var part63 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ + dup4, + dup5, + ])); + + var msg54 = msg("runner:02", part63); + + var part64 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg55 = msg("runner:crit1", part64); + + var part65 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup4, + dup5, + setc("event_description","File reading failed"), + ])); + + var msg56 = msg("runner:crit2", part65); + + var select16 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + ]); + + var part66 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ + dup4, + dup5, + ])); + + var msg57 = msg("ccd", part66); + + var part67 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup4, + dup5, + ])); + + var msg58 = msg("ccd:01", part67); + + var part68 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup4, + dup5, + ])); + + var msg59 = msg("ccd:03", part68); + + var part69 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup4, + dup5, + ])); + + var msg60 = msg("ccd:04", part69); + + var part70 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","info on device connection"), + ])); + + var msg61 = msg("ccd:02", part70); + + var part71 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","write to ssh pipe"), + ])); + + var msg62 = msg("ccd:05", part71); + + var part72 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","ccd handle read failure"), + ])); + + var msg63 = msg("ccd:06", part72); + + var part73 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup4, + dup5, + setc("event_description","device communication daemon online"), + ])); + + var msg64 = msg("ccd:07", part73); + + var part74 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","system memory size"), + ])); + + var msg65 = msg("ccd:08", part74); + + var select17 = linear_select([ + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + ]); + + var part75 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ + dup8, + dup5, + ])); + + var msg66 = msg("sshd", part75); + + var part76 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","bad username"), + ])); + + var msg67 = msg("sshd:01", part76); + + var part77 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup4, + dup5, + dup9, + ])); + + var msg68 = msg("sshd:02", part77); + + var part78 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup4, + dup5, + setc("event_description","check pass, user unknown"), + ])); + + var msg69 = msg("sshd:03", part78); + + var part79 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ + dup4, + dup5, + dup9, + ])); + + var msg70 = msg("sshd:04", part79); + + var msg71 = msg("sshd:pam", dup10); + + var select18 = linear_select([ + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + ]); + + var part80 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ + dup4, + dup5, + ])); + + var msg72 = msg("dmd", part80); + + var part81 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg73 = msg("dmd:01", part81); + + var part82 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg74 = msg("dmd:11", part82); + + var part83 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg75 = msg("dmd:02", part83); + + var part84 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup8, + dup5, + ])); + + var msg76 = msg("dmd:03", part84); + + var select19 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + ]); + + var part85 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ALERT exited abnormally"), + ])); + + var msg77 = msg("logrotate", part85); + + var part86 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","kernel time sync enabled"), + ])); + + var msg78 = msg("ntpd", part86); + + var part87 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","time reset"), + ])); + + var msg79 = msg("ntpd:01", part87); + + var part88 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup4, + dup5, + ])); + + var msg80 = msg("ntpd:02", part88); + + var part89 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd exiting on signal"), + ])); + + var msg81 = msg("ntpd:03", part89); + + var select20 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part90 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd will start in few secs"), + ])); + + var msg82 = msg("pm", part90); + + var part91 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd started"), + ])); + + var msg83 = msg("pm:01", part91); + + var part92 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","print message"), + ])); + + var msg84 = msg("pm:02", part92); + + var part93 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ + dup4, + dup5, + setc("event_description","service started"), + ])); + + var msg85 = msg("pm:03", part93); + + var part94 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","service will start"), + ])); + + var msg86 = msg("pm:04", part94); + + var part95 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","check license validity"), + ])); + + var msg87 = msg("pm:05", part95); + + var part96 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup4, + dup5, + setc("event_description","connected to config daemon"), + ])); + + var msg88 = msg("pm:06", part96); + + var select21 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + ]); + + var part97 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","updated timestamp"), + ])); + + var msg89 = msg("anacron", part97); + + var part98 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","anacron started"), + ])); + + var msg90 = msg("anacron:01", part98); + + var part99 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","normal exit"), + ])); + + var msg91 = msg("anacron:02", part99); + + var select22 = linear_select([ + msg89, + msg90, + msg91, + ]); + + var part100 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup4, + dup5, + setc("event_description","invalid packet size"), + ])); + + var msg92 = msg("epmd", part100); + + var part101 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup4, + dup5, + ])); + + var msg93 = msg("epmd:01", part101); + + var part102 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup4, + dup5, + ])); + + var msg94 = msg("epmd:02", part102); + + var select23 = linear_select([ + msg92, + msg93, + msg94, + ]); + + var part103 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg95 = msg("xinetd", part103); + + var part104 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ + dup4, + dup5, + ])); + + var msg96 = msg("xinetd:01", part104); + + var select24 = linear_select([ + msg95, + msg96, + ]); + + var part105 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup4, + dup5, + setc("event_description","Audit daemon rotating log files"), + ])); + + var msg97 = msg("auditd", part105); + + var part106 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","Reset file"), + ])); + + var msg98 = msg("restorecond", part106); + + var part107 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","handle authd unknown message"), + ])); + + var msg99 = msg("authd", part107); + + var part108 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","authd signal handler"), + ])); + + var msg100 = msg("authd:01", part108); + + var part109 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","authd close"), + ])); + + var msg101 = msg("authd:02", part109); + + var select25 = linear_select([ + msg99, + msg100, + msg101, + ]); + + var part110 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); + + var part111 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); + + var part112 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); + + var select26 = linear_select([ + part111, + part112, + ]); + + var part113 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); + + var all11 = all_match({ + processors: [ + part110, + select26, + part113, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg102 = msg("rsyslogd", all11); + + var part114 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","shutting down"), + ])); + + var msg103 = msg("shutdown", part114); + + var part115 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","cmd starting"), + ])); + + var msg104 = msg("cmd", part115); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "anacron": select22, + "auditd": msg97, + "authd": select25, + "ccd": select17, + "cli": select12, + "cmd": msg104, + "configd": select14, + "dmd": select19, + "epmd": select23, + "heartbeat": select15, + "logrotate": msg77, + "ntpd": select20, + "pm": select21, + "poller": msg45, + "restorecond": msg98, + "rsyslogd": msg102, + "runner": select16, + "schedulerd": select13, + "shutdown": msg103, + "sshd": select18, + "xinetd": select24, + }), + ]); + + var part116 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{username}@%{p0}"); + + var part117 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); + + var part118 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup4, + dup5, + dup6, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/bluecoat/0.10.2/data_stream/director/agent/stream/udp.yml.hbs b/packages/bluecoat/0.10.2/data_stream/director/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..d26ca500a3 --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/agent/stream/udp.yml.hbs @@ -0,0 +1,3814 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Bluecoat" + product: "Director" + type: "Configuration" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i %{username}@%{p0}"); + + var dup3 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); + + var dup4 = setc("eventcategory","1605000000"); + + var dup5 = setf("msg","$MSG"); + + var dup6 = setc("event_description","bad variable"); + + var dup7 = setc("event_description","This file is automatically generated"); + + var dup8 = setc("eventcategory","1603000000"); + + var dup9 = setc("event_description","authentication failure"); + + var dup10 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup4, + dup5, + dup6, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld5"), + constant("]: "), + field("p0"), + ], + }), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{p0}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command: %{p0}"); + + var part2 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{domain->} : Processing command: %{p0}"); + + var select2 = linear_select([ + part1, + part2, + ]); + + var all1 = all_match({ + processors: [ + dup2, + select2, + dup3, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg1 = msg("cli", all1); + + var part3 = match("MESSAGE#1:cli:01/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command %{p0}"); + + var part4 = match("MESSAGE#1:cli:01/1_1", "nwparser.p0", "%{domain->} : Processing command %{p0}"); + + var select3 = linear_select([ + part3, + part4, + ]); + + var all2 = all_match({ + processors: [ + dup2, + select3, + dup3, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg2 = msg("cli:01", all2); + + var part5 = match("MESSAGE#2:cli:02/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving config mode"); + + var part6 = match("MESSAGE#2:cli:02/1_1", "nwparser.p0", "%{domain->} : Leaving config mode"); + + var select4 = linear_select([ + part5, + part6, + ]); + + var all3 = all_match({ + processors: [ + dup2, + select4, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Leaving config mode"), + ]), + }); + + var msg3 = msg("cli:02", all3); + + var part7 = match("MESSAGE#3:cli:03/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering config mode"); + + var part8 = match("MESSAGE#3:cli:03/1_1", "nwparser.p0", "%{domain->} : Entering config mode"); + + var select5 = linear_select([ + part7, + part8, + ]); + + var all4 = all_match({ + processors: [ + dup2, + select5, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Entering config mode"), + ]), + }); + + var msg4 = msg("cli:03", all4); + + var part9 = match("MESSAGE#4:cli:04/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI exiting"); + + var part10 = match("MESSAGE#4:cli:04/1_1", "nwparser.p0", "%{domain->} : CLI exiting"); + + var select6 = linear_select([ + part9, + part10, + ]); + + var all5 = all_match({ + processors: [ + dup2, + select6, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","CLI exiting"), + ]), + }); + + var msg5 = msg("cli:04", all5); + + var part11 = match("MESSAGE#5:cli:05/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI launched"); + + var part12 = match("MESSAGE#5:cli:05/1_1", "nwparser.p0", "%{domain->} : CLI launched"); + + var select7 = linear_select([ + part11, + part12, + ]); + + var all6 = all_match({ + processors: [ + dup2, + select7, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","CLI launched"), + ]), + }); + + var msg6 = msg("cli:05", all6); + + var part13 = match("MESSAGE#6:Automatically/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Automatically logged out due to keyboard inactivity."); + + var part14 = match("MESSAGE#6:Automatically/1_1", "nwparser.p0", "%{domain->} : Automatically logged out due to keyboard inactivity."); + + var select8 = linear_select([ + part13, + part14, + ]); + + var all7 = all_match({ + processors: [ + dup2, + select8, + ], + on_success: processor_chain([ + dup4, + setc("ec_subject","User"), + setc("ec_activity","Logoff"), + dup5, + setc("event_description","Automatically logged out due to keyboard inactivity"), + ]), + }); + + var msg7 = msg("Automatically", all7); + + var part15 = match("MESSAGE#7:cli:06/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering enable mode"); + + var part16 = match("MESSAGE#7:cli:06/1_1", "nwparser.p0", "%{domain->} : Entering enable mode"); + + var select9 = linear_select([ + part15, + part16, + ]); + + var all8 = all_match({ + processors: [ + dup2, + select9, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Entering enable mode"), + ]), + }); + + var msg8 = msg("cli:06", all8); + + var part17 = match("MESSAGE#8:cli:07/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving enable mode"); + + var part18 = match("MESSAGE#8:cli:07/1_1", "nwparser.p0", "%{domain->} : Leaving enable mode"); + + var select10 = linear_select([ + part17, + part18, + ]); + + var all9 = all_match({ + processors: [ + dup2, + select10, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Leaving enable mode"), + ]), + }); + + var msg9 = msg("cli:07", all9); + + var part19 = match("MESSAGE#9:Processing/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing a secure command..."); + + var part20 = match("MESSAGE#9:Processing/1_1", "nwparser.p0", "%{domain->} : Processing a secure command..."); + + var select11 = linear_select([ + part19, + part20, + ]); + + var all10 = all_match({ + processors: [ + dup2, + select11, + ], + on_success: processor_chain([ + dup4, + dup5, + setc("event_description","Processing a secure command"), + ]), + }); + + var msg10 = msg("Processing", all10); + + var msg11 = msg("cli:pam", dup10); + + var select12 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + ]); + + var part21 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup4, + dup5, + ])); + + var msg12 = msg("schedulerd", part21); + + var part22 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup4, + dup5, + setc("event_description","System time changed, recomputing job run times"), + ])); + + var msg13 = msg("schedulerd:01", part22); + + var select13 = linear_select([ + msg12, + msg13, + ]); + + var part23 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup4, + dup5, + ])); + + var msg14 = msg("configd:Rotating", part23); + + var part24 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg15 = msg("configd:Deleting", part24); + + var part25 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup4, + dup5, + ])); + + var msg16 = msg("configd", part25); + + var part26 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg17 = msg("configd:01", part26); + + var part27 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg18 = msg("configd:11", part27); + + var part28 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, + dup5, + dup7, + ])); + + var msg19 = msg("file", part28); + + var part29 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg20 = msg("configd:02", part29); + + var part30 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg21 = msg("configd:22", part30); + + var part31 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg22 = msg("configd:03", part31); + + var part32 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg23 = msg("configd:33", part32); + + var part33 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup4, + dup5, + setc("event_description","Backup import command finished for all devices"), + ])); + + var msg24 = msg("Backup", part33); + + var part34 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup4, + dup5, + setc("event_description","Beginning to make backup of cache"), + ])); + + var msg25 = msg("Beginning", part34); + + var part35 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup4, + dup5, + setc("event_description","Inputting overlay"), + ])); + + var msg26 = msg("Inputting", part35); + + var part36 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg27 = msg("Saved", part36); + + var part37 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup4, + dup5, + ])); + + var msg28 = msg("Importing", part37); + + var part38 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg29 = msg("Overlay", part38); + + var part39 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg30 = msg("Executed", part39); + + var part40 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup4, + dup5, + setc("event_description","Configuration system online"), + ])); + + var msg31 = msg("Configuration", part40); + + var part41 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","Table creation"), + ])); + + var msg32 = msg("Create", part41); + + var part42 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup4, + dup5, + setc("event_description","Loaded config file initial"), + ])); + + var msg33 = msg("Loaded", part42); + + var part43 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","Setting set-reply timeout"), + ])); + + var msg34 = msg("Setting", part43); + + var part44 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg35 = msg("CCD", part44); + + var part45 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup4, + dup5, + ])); + + var msg36 = msg("Device", part45); + + var part46 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup4, + dup5, + ])); + + var msg37 = msg("Output", part46); + + var part47 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg38 = msg("ssh", part47); + + var part48 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup4, + dup5, + setc("event_description","Applying overlay to group"), + ])); + + var msg39 = msg("Applying", part48); + + var part49 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup4, + dup5, + setc("event_description","Applying overlay to cache"), + ])); + + var msg40 = msg("Applying:01", part49); + + var part50 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","Backup complete for device"), + ])); + + var msg41 = msg("configd:backup", part50); + + var part51 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, + dup5, + dup7, + ])); + + var msg42 = msg("file:01", part51); + + var part52 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup4, + dup5, + setc("event_description","Connection reset by peer"), + ])); + + var msg43 = msg("configd:connection", part52); + + var part53 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ + dup4, + dup5, + setc("event_description","cd session read failed"), + ])); + + var msg44 = msg("configd:failed", part53); + + var select14 = linear_select([ + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + ]); + + var part54 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup4, + dup5, + setc("event_description","Querying content system for job results"), + ])); + + var msg45 = msg("poller", part54); + + var part55 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg46 = msg("heartbeat", part55); + + var part56 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg47 = msg("heartbeat:01", part56); + + var part57 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup4, + dup5, + setc("event_description","director heartbeat client exiting"), + ])); + + var msg48 = msg("heartbeat:02", part57); + + var part58 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup4, + dup5, + setc("event_description","director heartbeat client launched"), + ])); + + var msg49 = msg("heartbeat:03", part58); + + var part59 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","undefined symbol"), + ])); + + var msg50 = msg("heartbeat:crit1", part59); + + var part60 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","No such file or directory"), + ])); + + var msg51 = msg("heartbeat:crit2", part60); + + var select15 = linear_select([ + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + ]); + + var part61 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup4, + dup5, + ])); + + var msg52 = msg("runner", part61); + + var part62 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, + dup5, + ])); + + var msg53 = msg("runner:01", part62); + + var part63 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ + dup4, + dup5, + ])); + + var msg54 = msg("runner:02", part63); + + var part64 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup4, + dup5, + ])); + + var msg55 = msg("runner:crit1", part64); + + var part65 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup4, + dup5, + setc("event_description","File reading failed"), + ])); + + var msg56 = msg("runner:crit2", part65); + + var select16 = linear_select([ + msg52, + msg53, + msg54, + msg55, + msg56, + ]); + + var part66 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ + dup4, + dup5, + ])); + + var msg57 = msg("ccd", part66); + + var part67 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup4, + dup5, + ])); + + var msg58 = msg("ccd:01", part67); + + var part68 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup4, + dup5, + ])); + + var msg59 = msg("ccd:03", part68); + + var part69 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup4, + dup5, + ])); + + var msg60 = msg("ccd:04", part69); + + var part70 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","info on device connection"), + ])); + + var msg61 = msg("ccd:02", part70); + + var part71 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","write to ssh pipe"), + ])); + + var msg62 = msg("ccd:05", part71); + + var part72 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","ccd handle read failure"), + ])); + + var msg63 = msg("ccd:06", part72); + + var part73 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup4, + dup5, + setc("event_description","device communication daemon online"), + ])); + + var msg64 = msg("ccd:07", part73); + + var part74 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","system memory size"), + ])); + + var msg65 = msg("ccd:08", part74); + + var select17 = linear_select([ + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + ]); + + var part75 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ + dup8, + dup5, + ])); + + var msg66 = msg("sshd", part75); + + var part76 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","bad username"), + ])); + + var msg67 = msg("sshd:01", part76); + + var part77 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup4, + dup5, + dup9, + ])); + + var msg68 = msg("sshd:02", part77); + + var part78 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup4, + dup5, + setc("event_description","check pass, user unknown"), + ])); + + var msg69 = msg("sshd:03", part78); + + var part79 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ + dup4, + dup5, + dup9, + ])); + + var msg70 = msg("sshd:04", part79); + + var msg71 = msg("sshd:pam", dup10); + + var select18 = linear_select([ + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + ]); + + var part80 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ + dup4, + dup5, + ])); + + var msg72 = msg("dmd", part80); + + var part81 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg73 = msg("dmd:01", part81); + + var part82 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup4, + dup5, + ])); + + var msg74 = msg("dmd:11", part82); + + var part83 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg75 = msg("dmd:02", part83); + + var part84 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup8, + dup5, + ])); + + var msg76 = msg("dmd:03", part84); + + var select19 = linear_select([ + msg72, + msg73, + msg74, + msg75, + msg76, + ]); + + var part85 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ALERT exited abnormally"), + ])); + + var msg77 = msg("logrotate", part85); + + var part86 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","kernel time sync enabled"), + ])); + + var msg78 = msg("ntpd", part86); + + var part87 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","time reset"), + ])); + + var msg79 = msg("ntpd:01", part87); + + var part88 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup4, + dup5, + ])); + + var msg80 = msg("ntpd:02", part88); + + var part89 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd exiting on signal"), + ])); + + var msg81 = msg("ntpd:03", part89); + + var select20 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var part90 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd will start in few secs"), + ])); + + var msg82 = msg("pm", part90); + + var part91 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup4, + dup5, + setc("event_description","ntpd started"), + ])); + + var msg83 = msg("pm:01", part91); + + var part92 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","print message"), + ])); + + var msg84 = msg("pm:02", part92); + + var part93 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ + dup4, + dup5, + setc("event_description","service started"), + ])); + + var msg85 = msg("pm:03", part93); + + var part94 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","service will start"), + ])); + + var msg86 = msg("pm:04", part94); + + var part95 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","check license validity"), + ])); + + var msg87 = msg("pm:05", part95); + + var part96 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup4, + dup5, + setc("event_description","connected to config daemon"), + ])); + + var msg88 = msg("pm:06", part96); + + var select21 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + ]); + + var part97 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","updated timestamp"), + ])); + + var msg89 = msg("anacron", part97); + + var part98 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","anacron started"), + ])); + + var msg90 = msg("anacron:01", part98); + + var part99 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","normal exit"), + ])); + + var msg91 = msg("anacron:02", part99); + + var select22 = linear_select([ + msg89, + msg90, + msg91, + ]); + + var part100 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup4, + dup5, + setc("event_description","invalid packet size"), + ])); + + var msg92 = msg("epmd", part100); + + var part101 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup4, + dup5, + ])); + + var msg93 = msg("epmd:01", part101); + + var part102 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup4, + dup5, + ])); + + var msg94 = msg("epmd:02", part102); + + var select23 = linear_select([ + msg92, + msg93, + msg94, + ]); + + var part103 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup4, + dup5, + ])); + + var msg95 = msg("xinetd", part103); + + var part104 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ + dup4, + dup5, + ])); + + var msg96 = msg("xinetd:01", part104); + + var select24 = linear_select([ + msg95, + msg96, + ]); + + var part105 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup4, + dup5, + setc("event_description","Audit daemon rotating log files"), + ])); + + var msg97 = msg("auditd", part105); + + var part106 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","Reset file"), + ])); + + var msg98 = msg("restorecond", part106); + + var part107 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","handle authd unknown message"), + ])); + + var msg99 = msg("authd", part107); + + var part108 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","authd signal handler"), + ])); + + var msg100 = msg("authd:01", part108); + + var part109 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","authd close"), + ])); + + var msg101 = msg("authd:02", part109); + + var select25 = linear_select([ + msg99, + msg100, + msg101, + ]); + + var part110 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); + + var part111 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); + + var part112 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); + + var select26 = linear_select([ + part111, + part112, + ]); + + var part113 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); + + var all11 = all_match({ + processors: [ + part110, + select26, + part113, + ], + on_success: processor_chain([ + dup4, + dup5, + ]), + }); + + var msg102 = msg("rsyslogd", all11); + + var part114 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup4, + dup5, + setc("event_description","shutting down"), + ])); + + var msg103 = msg("shutdown", part114); + + var part115 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup4, + dup5, + setc("event_description","cmd starting"), + ])); + + var msg104 = msg("cmd", part115); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "anacron": select22, + "auditd": msg97, + "authd": select25, + "ccd": select17, + "cli": select12, + "cmd": msg104, + "configd": select14, + "dmd": select19, + "epmd": select23, + "heartbeat": select15, + "logrotate": msg77, + "ntpd": select20, + "pm": select21, + "poller": msg45, + "restorecond": msg98, + "rsyslogd": msg102, + "runner": select16, + "schedulerd": select13, + "shutdown": msg103, + "sshd": select18, + "xinetd": select24, + }), + ]); + + var part116 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{username}@%{p0}"); + + var part117 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); + + var part118 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ + dup4, + dup5, + dup6, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/bluecoat/0.10.2/data_stream/director/elasticsearch/ingest_pipeline/default.yml b/packages/bluecoat/0.10.2/data_stream/director/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..11851454ec --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,67 @@ +--- +description: Pipeline for Blue Coat Director + +processors: + - set: + field: ecs.version + value: '8.4.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/bluecoat/0.10.2/data_stream/director/fields/base-fields.yml b/packages/bluecoat/0.10.2/data_stream/director/fields/base-fields.yml new file mode 100755 index 0000000000..36c3bb3f0e --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: bluecoat +- name: event.dataset + type: constant_keyword + description: Event dataset + value: bluecoat.director +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/bluecoat/0.10.2/data_stream/director/fields/ecs.yml b/packages/bluecoat/0.10.2/data_stream/director/fields/ecs.yml new file mode 100755 index 0000000000..f7e5c95752 --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/fields/ecs.yml @@ -0,0 +1,547 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/bluecoat/0.10.2/data_stream/director/fields/fields.yml b/packages/bluecoat/0.10.2/data_stream/director/fields/fields.yml new file mode 100755 index 0000000000..cf41dc5803 --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain +- type: keyword + name: network.interface.name diff --git a/packages/bluecoat/0.10.2/data_stream/director/manifest.yml b/packages/bluecoat/0.10.2/data_stream/director/manifest.yml new file mode 100755 index 0000000000..26ed4bbbd8 --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/manifest.yml @@ -0,0 +1,205 @@ +title: Blue Coat Director logs +release: experimental +type: logs +streams: + - input: udp + title: Blue Coat Director logs + description: Collect Blue Coat Director logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - bluecoat-director + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9527 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Blue Coat Director logs + description: Collect Blue Coat Director logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - bluecoat-director + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9527 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Blue Coat Director logs + description: Collect Blue Coat Director logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/bluecoat-director.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - bluecoat-director + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/bluecoat/0.10.2/data_stream/director/sample_event.json b/packages/bluecoat/0.10.2/data_stream/director/sample_event.json new file mode 100755 index 0000000000..125171d28a --- /dev/null +++ b/packages/bluecoat/0.10.2/data_stream/director/sample_event.json @@ -0,0 +1,59 @@ +{ + "@timestamp": "2022-01-25T12:03:43.425Z", + "agent": { + "ephemeral_id": "c90ce2e1-94f3-4a00-ad4a-53c75ff5ee2d", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "bluecoat.director", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "code": "ntpd", + "dataset": "bluecoat.director", + "ingested": "2022-01-25T12:03:44Z", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:36251" + } + }, + "observer": { + "product": "Director", + "type": "Configuration", + "vendor": "Bluecoat" + }, + "process": { + "pid": 1001 + }, + "rsa": { + "internal": { + "event_desc": "kernel time sync enabled", + "messageid": "ntpd" + }, + "misc": { + "client": "ntpd" + } + }, + "tags": [ + "bluecoat-director", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/bluecoat/0.10.2/docs/README.md b/packages/bluecoat/0.10.2/docs/README.md new file mode 100755 index 0000000000..7eef1de9e4 --- /dev/null +++ b/packages/bluecoat/0.10.2/docs/README.md @@ -0,0 +1,796 @@ +# Bluecoat integration + +This integration is for Bluecoat device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `director` dataset: supports Blue Coat Director logs. + +### Director + +The `director` dataset collects Blue Coat Director logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/bluecoat/0.10.2/manifest.yml b/packages/bluecoat/0.10.2/manifest.yml new file mode 100755 index 0000000000..f6a6c1bb12 --- /dev/null +++ b/packages/bluecoat/0.10.2/manifest.yml @@ -0,0 +1,27 @@ +format_version: 1.0.0 +name: bluecoat +title: Blue Coat Director Logs +version: "0.10.2" +description: Collect director logs from Blue Coat devices with Elastic Agent. +categories: ["network", "security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: director + title: Blue Coat Director + description: Collect Blue Coat Director logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from Blue Coat Director via UDP + description: Collecting syslog from Blue Coat Director via UDP + - type: tcp + title: Collect logs from Blue Coat Director via TCP + description: Collecting syslog from Blue Coat Director via TCP + - type: logfile + title: Collect logs from Blue Coat Director via file + description: Collecting syslog from Blue Coat Director via file. +owner: + github: elastic/security-external-integrations diff --git a/packages/box_events/0.1.1/LICENSE.txt b/packages/box_events/0.1.1/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/box_events/0.1.1/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/box_events/0.1.1/changelog.yml b/packages/box_events/0.1.1/changelog.yml new file mode 100755 index 0000000000..b442e20d28 --- /dev/null +++ b/packages/box_events/0.1.1/changelog.yml @@ -0,0 +1,11 @@ +# newer versions go on top +- version: "0.1.1" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "0.1.0" + changes: + - description: Initial beta version of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/3677 diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/agent/stream/httpjson.yml.hbs b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..5b38ec285a --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/agent/stream/httpjson.yml.hbs @@ -0,0 +1,45 @@ +config_version: 2 +interval: "{{interval}}" +auth.oauth2: + client.id: "{{client_id}}" + client.secret: "{{client_secret}}" + token_url: "{{api_url}}/oauth2/token" + endpoint_params: + box_subject_id: "{{box_subject_id}}" + box_subject_type: "{{box_subject_type}}" + grant_type: "{{grant_type}}" + stream_type: "{{stream_type}}" +request.url: "{{api_url}}/2.0/events" +request.method: "GET" +request.transforms: + - set: + target: url.params.stream_position + value: '[[.cursor.next_stream_position]]' +response.decode_as: application/json +response.split: + target: body.entries + type: array + keep_parent: false + split: + target: body.additional_details.shield_alert.alert_summary.download_ips + type: array + keep_parent: true +cursor: + next_stream_position: + value: '[[.last_response.body.next_stream_position]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- decode_json_fields: + fields: message + target: box +- drop_event: + when: + not: + equals: + box.additional_details.shield_alert.rule_category: "Anomalous Download" \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..84f95dd769 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,219 @@ +--- +description: Pipeline for parsing Box Anomalous Download Alerts +processors: + - set: + field: ecs.version + value: "8.4.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: box + - date: + field: box.recorded_at + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + if: "ctx.box?.source != null" + - rename: + field: box.session_id + target_field: box.session.id + ignore_missing: true +# `box.type` is always `event` - remove to avoid ambiguity with `event.kind` + - remove: + field: box.type + ignore_missing: true + - set: + field: event.kind + value: "event" + if: "ctx.box?.source != null" + ignore_failure: true + - set: + field: event.kind + value: "alert" + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - set: + field: event.type + value: ["access","indicator"] + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - set: + field: event.category + value: ["file","threat"] + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - rename: + field: box.event_type + target_field: event.action + ignore_missing: true + - rename: + field: box.event_id + target_field: event.id + ignore_missing: true +# Box Shield can add these fields + - date: + field: box.additional_details.shield_alert.alert_summary.historical_period.date_range.start_date + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + - rename: + field: box.ip_address + target_field: client.ip + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.risk_score + target_field: event.risk_score + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.alert_summary.download_ips.ip + type: ip + target_field: threat.indicator.ip + ignore_missing: true + - geoip: + field: threat.indicator.ip + target_field: threat.indicator.geo + - rename: + field: box.additional_details.shield_alert.link + target_field: threat.indicator.reference + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.description + target_field: threat.indicator.description + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.anomaly_period.date_range.start_date + target_field: threat.indicator.first_seen + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.anomaly_period.date_range.end_date + target_field: threat.indicator.last_seen + ignore_missing: true + - rename: + field: ctx.box.additional_details.shield_alert.alert_summary.historical_period.downloaded_files_count + target_field: threat.indicator.sightings + ignore_missing: true + - set: + field: threat.indicator.type + value: "file" + - rename: + field: box.additional_details.shield_alert.rule_category + target_field: rule.category + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.rule_id + type: string + target_field: rule.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.rule_id + ignore_failure: true + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.rule_name + target_field: rule.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.alert_id + type: string + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.email + target_field: user.effective.email + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.name + target_field: user.effective.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.user.id + type: string + target_field: user.effective.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.user.id + ignore_failure: true + ignore_missing: true + - append: + field: related.ip + value: "{{{threat.indicator.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.ip + value: "{{{client.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.email}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.name}}}" + ignore_failure: true + allow_duplicates: false + - script: + description: Capitalize Priority to match Appendix A of the STIX 2.1 framework + lang: painless + source: | + if (ctx.box?.additional_details?.shield_alert?.priority != null) { + ctx.threat.indicator.confidence = + ctx.box.additional_details.shield_alert.priority.substring(0, 1).toUpperCase() + + ctx.box.additional_details.shield_alert.priority.substring(1); + } +# Do AS look-ups as well + - geoip: + database_file: GeoLite2-ASN.mmdb + field: threat.indicator.ip + target_field: threat.indicator.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: threat.indicator.as.asn + target_field: threat.indicator.as.number + ignore_missing: true + - rename: + field: threat.indicator.as.organization_name + target_field: threat.indicator.as.organization.name + ignore_missing: true +# Conditionally, remove event.original + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +# Drop empty/null fields + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/agent.yml b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/agent.yml new file mode 100755 index 0000000000..8603c3c91e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/agent.yml @@ -0,0 +1,238 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + + - name: cpu.pct + type: scaled_float + format: percent + description: > + Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + + - name: disk.read.bytes + type: long + format: bytes + description: > + The total number of bytes read successfully in a given period of time. + + - name: disk.write.bytes + type: long + format: bytes + description: > + The total number of bytes write successfully in a given period of time. + + - name: network.in.bytes + type: long + format: bytes + description: > + The number of bytes received on all network interfaces by the host in a given period of time. + + - name: network.in.packets + type: long + description: > + The number of packets received on all network interfaces by the host in a given period of time. + + - name: network.out.bytes + type: long + format: bytes + description: > + The number of bytes sent out on all network interfaces by the host in a given period of time. + + - name: network.out.packets + type: long + description: > + The number of packets sent out on all network interfaces by the host in a given period of time. + diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/base-fields.yml b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/base-fields.yml new file mode 100755 index 0000000000..a40b97a145 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: box +- name: event.dataset + type: constant_keyword + description: Event dataset + value: box_events.events +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/ecs.yml b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/ecs.yml new file mode 100755 index 0000000000..e1a4cafaaa --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/ecs.yml @@ -0,0 +1,186 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.as.organization.name + type: keyword +- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + name: threat.indicator.confidence + type: keyword +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: City name. + name: threat.indicator.geo.city_name + type: keyword +- description: Name of the continent. + name: threat.indicator.geo.continent_name + type: keyword +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword +- description: Country name. + name: threat.indicator.geo.country_name + type: keyword +- description: Longitude and latitude. + name: threat.indicator.geo.location + type: geo_point +- description: Region ISO code. + name: threat.indicator.geo.region_iso_code + type: keyword +- description: Region name. + name: threat.indicator.geo.region_name + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: User email address. + name: user.effective.email + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/fields.yml b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/fields.yml new file mode 100755 index 0000000000..ffc15f618e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/fields/fields.yml @@ -0,0 +1,82 @@ +- name: box + type: object + fields: + - name: created_by + type: object + fields: + - name: id + description: The unique identifier for the connection user + type: keyword + - name: name + description: The display name of the connection user. Maps from **.name + type: keyword + - name: login + description: The primary email address of the connection user. Maps from **.login + - name: type + description: E.g. `user` + - name: session.id + description: The session of the user that performed the action. Not all events will populate this attribute + type: keyword + - name: recorded_at + description: The date and time at which this event occurred + type: date + - name: created_at + description: When the event object was created + type: date + - name: additional_details + type: object + fields: + - name: shield_alert + type: object + fields: + - name: alert_id + description: Box Shield alert ID + type: keyword + - name: created_at + description: Time alert was created + type: date + - name: priority + description: Box Shield priority of alert + type: keyword + - name: alert_summary + type: object + fields: + - name: anomaly_period + type: object + fields: + - name: download_size + description: Volume of Anomalous Downloads detected by Box Shield relating to an account holder who may be stealing sensitive content + type: keyword + - name: downloaded_files_count + description: Number of Anomalous Downloads detected by Box Shield relating to an account holder who may be stealing sensitive content + type: long + - name: download_delta_percent + type: long + description: Anomaly delta percentage relative to historical expectation + - name: download_delta_size + type: keyword + description: Anomaly delta size relative to historical expectation + - name: download_ips + type: object + fields: + - name: ip + description: IP address + type: ip + - name: historical_period + type: object + fields: + - name: date_range + type: object + fields: + - name: end_date + description: End of historical period for calculation of historical expectation + type: keyword + - name: start_date + description: Start of historical period for calculation of historical expectation + type: keyword + - name: download_size + description: Volume of Anomalous Downloads detected by Box Shield relating to an account holder who may be stealing sensitive content + type: keyword + - name: downloaded_files_count + description: Number of Anomalous Downloads detected by Box Shield relating to an account holder who may be stealing sensitive content + type: long diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/manifest.yml b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/manifest.yml new file mode 100755 index 0000000000..6cdaa707ba --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/manifest.yml @@ -0,0 +1,33 @@ +title: List user and enterprise events +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Box Shield Anomalous Download Alerts + description: Collect Box Shield Anomalous Download Alerts with appropriate Box Opt-in Settings + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: true + default: 300s + - name: stream_type + type: text + title: Stream Type + description: >- + To retrieve events for the entire enterprise, set the stream_type to admin_logs_streaming for live monitoring of new events, or admin_logs for querying across historical events. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked. + multi: false + required: true + show_user: true + default: admin_logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false diff --git a/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/sample_event.json b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/sample_event.json new file mode 100755 index 0000000000..77ec9540d6 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/anomalous_download_alerts/sample_event.json @@ -0,0 +1,154 @@ +{ + "agent": { + "name": "docker-fleet-agent", + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "ephemeral_id": "02cda318-e8e4-4aab-9dbd-eda10d827a5b", + "type": "filebeat", + "version": "8.4.0" + }, + "elastic_agent": { + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "version": "8.4.0", + "snapshot": false + }, + "box": { + "additional_details": { + "shield_alert": { + "alert_id": "444", + "alert_summary": { + "anomaly_period": { + "download_size": "25 Mb", + "downloaded_files_count": 13 + }, + "download_delta_percent": 9200, + "download_delta_size": "25 Mb", + "download_ips": { + "ip": "89.160.20.112" + }, + "historical_period": { + "date_range": { + "end_date": "2019-12-08T01:01:00-08:00", + "start_date": "2019-12-01T01:01:00-08:00" + }, + "download_size": "0 Mb", + "downloaded_files_count": 1 + } + }, + "created_at": "2019-12-20T11:38:16-08:00", + "priority": "medium" + } + }, + "created_at": "2019-12-20T11:38:56-08:00", + "created_by": { + "id": "2", + "name": "Unknown User", + "type": "user" + } + }, + "client": { + "ip": "10.1.2.3" + }, + "input": { + "type": "httpjson" + }, + "@timestamp": "2019-12-01T08:00:00.000Z", + "ecs": { + "version": "8.4.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "box_events.anomalous_download_alerts" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.104-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "family": "debian", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": false, + "ip": [ + "172.30.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:1e:00:07" + ], + "architecture": "x86_64" + }, + "event": { + "action": "SHIELD_ALERT", + "category": [ + "file", + "threat" + ], + "id": "97f1b31f-f143-4777-81f8-1b557b39ca33", + "kind": "alert", + "original": "{\"source\":null,\"created_by\":{\"type\":\"user\",\"id\":\"2\",\"name\":\"Unknown User\",\"login\":\"\"},\"action_by\":null,\"created_at\":\"2019-12-20T11:38:56-08:00\",\"event_id\":\"97f1b31f-f143-4777-81f8-1b557b39ca33\",\"event_type\":\"SHIELD_ALERT\",\"ip_address\":\"10.1.2.3\",\"type\":\"event\",\"session_id\":null,\"additional_details\":{\"shield_alert\":{\"rule_category\":\"Anomalous Download\",\"rule_id\":123,\"rule_name\":\"Anomalous Download Rule\",\"risk_score\":77,\"alert_summary\":{\"description\":\"Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)\",\"download_delta_size\":\"25 Mb\",\"download_delta_percent\":9200,\"historical_period\":{\"date_range\":{\"start_date\":\"2019-12-01T01:01:00-08:00\",\"end_date\":\"2019-12-08T01:01:00-08:00\"},\"download_size\":\"0 Mb\",\"downloaded_files_count\":1},\"anomaly_period\":{\"date_range\":{\"start_date\":\"2019-12-08T01:01:00-08:00\",\"end_date\":\"2019-12-15T01:01:00-08:00\"},\"download_size\":\"25 Mb\",\"downloaded_files_count\":13},\"download_ips\":{\"ip\":\"89.160.20.112\"}},\"alert_id\":444,\"priority\":\"medium\",\"user\":{\"id\":567,\"name\":\"Some user\",\"email\":\"some@user.com\"},\"link\":\"https://cloud.app.box.com/master/shield/alerts/444\",\"created_at\":\"2019-12-20T11:38:16-08:00\"}}}", + "risk_score": 77, + "type": [ + "access", + "indicator" + ] + }, + "related": { + "ip": [ + "89.160.20.112", + "10.1.2.3" + ], + "user": [ + "some@user.com", + "567", + "Some user" + ] + }, + "rule": { + "category": "Anomalous Download", + "id": "123", + "name": "Anomalous Download Rule" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "confidence": "Medium", + "description": "Significant increase in download content week over week, 9200% (25.04 MB) more than last week 12 additional files downloaded week over week)", + "first_seen": "2019-12-08T01:01:00-08:00", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "last_seen": "2019-12-15T01:01:00-08:00", + "reference": "https://cloud.app.box.com/master/shield/alerts/444", + "type": "file" + } + }, + "user": { + "effective": { + "email": "some@user.com", + "id": "567", + "name": "Some user" + } + } +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/events/agent/stream/httpjson.yml.hbs b/packages/box_events/0.1.1/data_stream/events/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..48b8588451 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/agent/stream/httpjson.yml.hbs @@ -0,0 +1,40 @@ +config_version: 2 +interval: "{{interval}}" +auth.oauth2: + client.id: "{{client_id}}" + client.secret: "{{client_secret}}" + token_url: "{{api_url}}/oauth2/token" + endpoint_params: + box_subject_id: "{{box_subject_id}}" + box_subject_type: "{{box_subject_type}}" + grant_type: "{{grant_type}}" + stream_type: "{{stream_type}}" +request.url: "{{api_url}}/2.0/events" +request.method: "GET" +request.transforms: + - set: + target: url.params.stream_position + value: '[[.cursor.next_stream_position]]' +response.decode_as: application/json +response.split: + target: body.entries + type: array + keep_parent: false +cursor: + next_stream_position: + value: '[[.last_response.body.next_stream_position]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- decode_json_fields: + fields: message + target: box +- drop_event: + when: + not: + has_fields: ['box.source'] diff --git a/packages/box_events/0.1.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/0.1.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..ba25482f20 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,710 @@ +--- +description: Pipeline for parsing Box Events +processors: + - set: + field: ecs.version + value: "8.4.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: box + - date: + field: box.recorded_at + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + if: "ctx.box?.source != null" + - rename: + field: box.session_id + target_field: box.session.id + ignore_missing: true +# `box.type` is always `event` - remove to avoid ambiguity with `event.kind` + - remove: + field: box.type + ignore_missing: true + - set: + field: event.kind + value: "event" + if: "ctx.box?.source != null" + ignore_failure: true + - set: + field: event.kind + value: "alert" + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - script: + description: Set event.category + event.type + lang: painless + params: + ACCESS_GRANTED: + map: + category: ['configuration'] + type: ['access','allowed'] + ACCESS_REVOKED: + map: + category: ['configuration'] + type: ['access','denied'] + ADD_DEVICE_ASSOCIATION: + map: + category: ['host'] + type: ['access','allowed'] + ADD_LOGIN_ACTIVITY_DEVICE: + map: + category: ['host','session'] + type: ['access','allowed'] + ADMIN_LOGIN: + map: + category: ['session'] + type: ['admin'] + APPLICATION_CREATED: + map: + category: ['process'] + type: ['creation'] + APPLICATION_PUBLIC_KEY_ADDED: + map: + category: ['process','authentication','iam'] + type: ['creation'] + APPLICATION_PUBLIC_KEY_DELETED: + map: + category: ['process','authentication','iam'] + type: ['deletion'] + CHANGE_ADMIN_ROLE: + map: + category: ['configuration'] + type: ['admin'] + CHANGE_FOLDER_PERMISSION: + map: + category: ['file'] + type: ['access','change'] + COLLABORATION_ACCEPT: + map: + category: ['process'] + type: ['access','start'] + COLLABORATION_EXPIRATION: + map: + category: ['process'] + type: ['access','deletion'] + COLLABORATION_INVITE: + map: + category: ['process'] + type: ['access','creation'] + COLLABORATION_REMOVE: + map: + category: ['process'] + type: ['access','end'] + COLLABORATION_ROLE_CHANGE: + map: + category: ['process'] + type: ['access','change'] + COLLAB_ADD_COLLABORATOR: + map: + category: ['process'] + type: ['access','creation'] + COLLAB_INVITE_COLLABORATOR: + map: + category: ['process'] + type: ['access'] + COLLAB_REMOVE_COLLABORATOR: + map: + category: ['process'] + type: ['access','deletion'] + COLLAB_ROLE_CHANGE: + map: + category: ['process'] + type: ['access','change'] + COMMENT_CREATE: + map: + category: ['database'] + type: ['creation'] + COMMENT_DELETE: + map: + category: ['database'] + type: ['deletion'] + CONTENT_ACCESS: + map: + category: ['file'] + type: ['access'] + CONTENT_WORKFLOW_ABNORMAL_DOWNLOAD_ACTIVITY: + map: + category: ['process','threat'] + type: ['access','connection','indicator'] + CONTENT_WORKFLOW_AUTOMATION_ADD: + map: + category: ['process'] + type: ['change'] + CONTENT_WORKFLOW_AUTOMATION_DELETE: + map: + category: ['process'] + type: ['change'] + CONTENT_WORKFLOW_POLICY_ADD: + map: + category: ['process','configuration'] + type: ['creation'] + CONTENT_WORKFLOW_SHARING_POLICY_VIOLATION: + map: + category: ['process','threat'] + type: ['access','indicator'] + CONTENT_WORKFLOW_UPLOAD_POLICY_VIOLATION: + map: + category: ['process','threat'] + type: ['access','indicator'] + COPY: + map: + category: ['file'] + type: ['creation'] + DATA_RETENTION_CREATE_RETENTION: + map: + category: ['process','configuration'] + type: ['creation'] + DATA_RETENTION_REMOVE_RETENTION: + map: + category: ['process','configuration'] + type: ['deletion'] + DELETE: + map: + category: ['file'] + type: ['deletion'] + DELETE_USER: + map: + category: ['iam'] + type: ['user','deletion'] + DEVICE_TRUST_CHECK_FAILED: + map: + category: ['authentication','threat'] + type: ['denied','indicator'] + DOWNLOAD: + map: + category: ['file'] + type: ['access'] + EDIT: + map: + category: ['file'] + type: ['access','change'] + EDIT_USER: + map: + category: ['iam'] + type: ['change'] + EMAIL_ALIAS_CONFIRM: + map: + category: ['iam'] + type: ['user'] + EMAIL_ALIAS_REMOVE: + map: + category: ['iam'] + type: ['user'] + ENABLE_TWO_FACTOR_AUTH: + map: + category: ['iam'] + type: ['user'] + ENTERPRISE_APP_AUTHORIZATION_UPDATE: + map: + category: ['iam','process'] + type: ['change'] + FAILED_LOGIN: + map: + category: ['iam','threat'] + type: ['denied','indicator'] + FILE_MARKED_MALICIOUS: + map: + category: ['file','threat'] + type: ['indicator'] + FILE_WATERMARKED_DOWNLOAD: + map: + category: ['file'] + type: ['access'] + GROUP_ADD_ITEM: + map: + category: ['iam'] + type: ['change','group'] + GROUP_ADD_USER: + map: + category: ['iam'] + type: ['creation','group'] + GROUP_CREATION: + map: + category: ['iam'] + type: ['creation','group'] + GROUP_DELETION: + map: + category: ['iam'] + type: ['deletion','group'] + GROUP_EDITED: + map: + category: ['iam'] + type: ['change','group'] + GROUP_REMOVE_ITEM: + map: + category: ['iam'] + type: ['deletion','group'] + GROUP_REMOVE_USER: + map: + category: ['iam'] + type: ['deletion','group','user'] + ITEM_COPY: + map: + category: ['file'] + type: ['creation'] + ITEM_CREATE: + map: + category: ['file'] + type: ['creation'] + ITEM_DOWNLOAD: + map: + category: ['file'] + type: ['access'] + ITEM_MAKE_CURRENT_VERSION: + map: + category: ['file','database'] + type: ['change'] + ITEM_MODIFY: + map: + category: ['file'] + type: ['change'] + ITEM_MOVE: + map: + category: ['file','database'] + type: ['change'] + ITEM_OPEN: + map: + category: ['file'] + type: ['access'] + ITEM_PREVIEW: + map: + category: ['file'] + type: ['access'] + ITEM_RENAME: + map: + category: ['file','database'] + type: ['change'] + ITEM_SHARED: + map: + category: ['file','database'] + type: ['change'] + ITEM_SHARED_CREATE: + map: + category: ['file','database'] + type: ['change'] + ITEM_SHARED_UNSHARE: + map: + category: ['file','database'] + type: ['change'] + ITEM_SHARED_UPDATE: + map: + category: ['file','database'] + type: ['change'] + ITEM_SYNC: + map: + category: ['file','database'] + type: ['access'] + ITEM_TRASH: + map: + category: ['file','database'] + type: ['deletion'] + ITEM_UNDELETE_VIA_TRASH: + map: + category: ['file','database'] + type: ['creation'] + ITEM_UNSYNC: + map: + category: ['file','database'] + type: ['creation'] + ITEM_UPLOAD: + map: + category: ['file'] + type: ['creation'] + LEGAL_HOLD_ASSIGNMENT_CREATE: + map: + category: ['process','database'] + type: ['creation'] + LEGAL_HOLD_ASSIGNMENT_DELETE: + map: + category: ['process','database'] + type: ['deletion'] + LEGAL_HOLD_POLICY_CREATE: + map: + category: ['process','database'] + type: ['creation'] + LEGAL_HOLD_POLICY_DELETE: + map: + category: ['process','database'] + type: ['deletion'] + LEGAL_HOLD_POLICY_UPDATE: + map: + category: ['process','database'] + type: ['change'] + LOCK: + map: + category: ['process','file'] + type: ['access'] + LOCK_CREATE: + map: + category: ['process','file'] + type: ['creation'] + LOCK_DESTROY: + map: + category: ['process','file'] + type: ['deletion'] + LOGIN: + map: + category: ['authentication'] + type: ['access'] + MASTER_INVITE_ACCEPT: + map: + category: ['process'] + type: ['allowed'] + MASTER_INVITE_REJECT: + map: + category: ['process'] + type: ['denied'] + METADATA_INSTANCE_CREATE: + map: + category: ['database'] + type: ['creation'] + METADATA_INSTANCE_DELETE: + map: + category: ['database'] + type: ['deletion'] + METADATA_INSTANCE_UPDATE: + map: + category: ['database'] + type: ['change'] + METADATA_TEMPLATE_CREATE: + map: + category: ['database'] + type: ['creation'] + METADATA_TEMPLATE_DELETE: + map: + category: ['database'] + type: ['deletion'] + METADATA_TEMPLATE_UPDATE: + map: + category: ['database'] + type: ['change'] + MOVE: + map: + category: ['file'] + type: ['creation','deletion'] + NEW_USER: + map: + category: ['iam'] + type: ['creation'] + PREVIEW: + map: + category: ['file'] + type: ['access'] + REMOVE_DEVICE_ASSOCIATION: + map: + category: ['host'] + type: ['deletion'] + REMOVE_LOGIN_ACTIVITY_DEVICE: + map: + category: ['host','session'] + type: ['deletion'] + RENAME: + map: + category: ['file','database'] + type: ['change'] + RETENTION_POLICY_ASSIGNMENT_ADD: + map: + category: ['database','process'] + type: ['creation'] + SHARE: + map: + category: ['file','database'] + type: ['creation'] + SHARE_EXPIRATION: + map: + category: ['process','database'] + type: ['deletion'] + SHIELD_ALERT: + map: + category: ['threat'] + type: ['indicator'] + SHIELD_EXTERNAL_COLLAB_ACCESS_BLOCKED: + map: + category: ['threat','process'] + type: ['denied'] + SHIELD_EXTERNAL_COLLAB_ACCESS_BLOCKED_MISSING_JUSTIFICATION: + map: + category: ['threat','process'] + type: ['denied'] + SHIELD_EXTERNAL_COLLAB_INVITE_BLOCKED: + map: + category: ['threat','process'] + type: ['denied'] + SHIELD_EXTERNAL_COLLAB_INVITE_BLOCKED_MISSING_JUSTIFICATION: + map: + category: ['threat','process'] + type: ['denied'] + SHIELD_JUSTIFICATION_APPROVAL: + map: + category: ['threat','process'] + type: ['admin'] + SIGN_DOCUMENT_ASSIGNED: + map: + category: ['process','iam'] + type: ['start'] + SIGN_DOCUMENT_CANCELLED: + map: + category: ['process','iam'] + type: ['end'] + SIGN_DOCUMENT_COMPLETED: + map: + category: ['process','iam'] + type: ['end'] + SIGN_DOCUMENT_CONVERTED: + map: + category: ['process','iam'] + type: ['change'] + SIGN_DOCUMENT_CREATED: + map: + category: ['process','iam'] + type: ['creation'] + SIGN_DOCUMENT_DECLINED: + map: + category: ['process','iam'] + type: ['denied'] + SIGN_DOCUMENT_EXPIRED: + map: + category: ['process','iam'] + type: ['change'] + SIGN_DOCUMENT_SIGNED: + map: + category: ['process','iam'] + type: ['change'] + SIGN_DOCUMENT_VIEWED_BY_SIGNED: + map: + category: ['process','iam'] + type: ['access'] + SIGNER_DOWNLOADED: + map: + category: ['process','iam'] + type: ['access'] + SIGNER_FORWARDED: + map: + category: ['process','iam'] + type: ['change'] + STORAGE_EXPIRATION: + map: + category: ['process'] + type: ['change'] + TAG_ITEM_CREATE: + map: + category: ['file','database'] + type: ['creation'] + TASK_ASSIGNMENT_CREATE: + map: + category: ['process','database'] + type: ['user','creation'] + TASK_ASSIGNMENT_DELETE: + map: + category: ['process','database'] + type: ['user','deletion'] + TASK_ASSIGNMENT_UPDATE: + map: + category: ['process','database'] + type: ['user','change'] + TASK_CREATE: + map: + category: ['process','database'] + type: ['creation'] + TASK_UPDATE: + map: + category: ['process','database'] + type: ['creation'] + TERMS_OF_SERVICE_ACCEPT: + map: + category: ['process','database'] + type: ['user'] + TERMS_OF_SERVICE_REJECT: + map: + category: ['process','database'] + type: ['user'] + UNDELETE: + map: + category: ['file'] + type: ['creation'] + UNLOCK: + map: + category: ['process'] + type: ['change'] + UNSHARE: + map: + category: ['process','database'] + type: ['change'] + UPDATE_COLLABORATION_EXPIRATION: + map: + category: ['process','database'] + type: ['user','change'] + UPDATE_SHARE_EXPIRATION: + map: + category: ['process','database'] + type: ['change'] + UPLOAD: + map: + category: ['file'] + type: ['creation'] + user_authenticate_oauth2_access_token_create: + map: + category: ['authentication','iam'] + type: ['user','creation'] + WATERMARK_LABEL_CREATE: + map: + category: ['file','process'] + type: ['creation'] + WATERMARK_LABEL_DELETE: + map: + category: ['file','process'] + type: ['deletion'] + source: | + def eventType = params.getOrDefault(ctx.box.event_type, null); + if (eventType != null) { + ctx.event.category = eventType.map.get('category'); + ctx.event.type = eventType.map.get('type'); + } + - rename: + field: box.event_type + target_field: event.action + ignore_missing: true + - rename: + field: box.event_id + target_field: event.id + ignore_missing: true +# If a user or item triggers an event, The response of the GET /events endpoint contains an event source object. + - convert: + field: box.source.sequence_id + target_field: event.sequence + type: integer + ignore_missing: true + - rename: + field: box.source.type + target_field: file.type + ignore_missing: true + - rename: + if: ctx.file?.type != "folder" + field: box.source.name + target_field: file.name + ignore_missing: true + - rename: + if: ctx.file?.type == "folder" + field: box.source.name + target_field: file.directory + ignore_missing: true + - date: + field: box.source.created_at + target_field: file.created + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + - remove: + field: box.source.created_at + ignore_missing: true + - date: + field: box.source.content_created_at + target_field: file.created + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + - remove: + field: box.source.content_created_at + ignore_missing: true + - date: + field: box.source.content_modified_at + target_field: file.mtime + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + - remove: + field: box.source.content_modified_at + ignore_missing: true + - date: + field: box.source.modified_at + target_field: file.ctime + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + - rename: + field: box.source.size + target_field: file.size + ignore_missing: true + - rename: + field: box.source.file_version.sha1 + target_field: file.hash.sha1 + ignore_missing: true + - append: + field: related.user + value: "{{{box.source.created_by.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.created_by.login}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.created_by.name}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.modified_by.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.modified_by.login}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.modified_by.name}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.owned_by.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.owned_by.login}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.source.owned_by.name}}}" + ignore_failure: true + allow_duplicates: false +# Conditionally, remove event.original + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +# Drop empty/null fields + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/box_events/0.1.1/data_stream/events/fields/agent.yml b/packages/box_events/0.1.1/data_stream/events/fields/agent.yml new file mode 100755 index 0000000000..8603c3c91e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/fields/agent.yml @@ -0,0 +1,238 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + + - name: cpu.pct + type: scaled_float + format: percent + description: > + Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + + - name: disk.read.bytes + type: long + format: bytes + description: > + The total number of bytes read successfully in a given period of time. + + - name: disk.write.bytes + type: long + format: bytes + description: > + The total number of bytes write successfully in a given period of time. + + - name: network.in.bytes + type: long + format: bytes + description: > + The number of bytes received on all network interfaces by the host in a given period of time. + + - name: network.in.packets + type: long + description: > + The number of packets received on all network interfaces by the host in a given period of time. + + - name: network.out.bytes + type: long + format: bytes + description: > + The number of bytes sent out on all network interfaces by the host in a given period of time. + + - name: network.out.packets + type: long + description: > + The number of packets sent out on all network interfaces by the host in a given period of time. + diff --git a/packages/box_events/0.1.1/data_stream/events/fields/base-fields.yml b/packages/box_events/0.1.1/data_stream/events/fields/base-fields.yml new file mode 100755 index 0000000000..a40b97a145 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: box +- name: event.dataset + type: constant_keyword + description: Event dataset + value: box_events.events +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/events/fields/ecs.yml b/packages/box_events/0.1.1/data_stream/events/fields/ecs.yml new file mode 100755 index 0000000000..cfaf8d58d4 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/fields/ecs.yml @@ -0,0 +1,106 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/events/fields/fields.yml b/packages/box_events/0.1.1/data_stream/events/fields/fields.yml new file mode 100755 index 0000000000..49a4426290 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/fields/fields.yml @@ -0,0 +1,151 @@ +- name: box + type: object + fields: + - name: created_by + type: object + fields: + - name: id + description: The unique identifier for the connection user + type: keyword + - name: name + description: The display name of the connection user. Maps from **.name + type: keyword + - name: login + description: The primary email address of the connection user. Maps from **.login + - name: type + description: E.g. `user` + - name: session.id + description: The session of the user that performed the action. Not all events will populate this attribute + type: keyword + - name: recorded_at + description: The date and time at which this event occurred + type: date + - name: created_at + description: When the event object was created + type: date + - name: source + type: object + fields: + - name: id + description: The unique identifier that represent a folder + type: keyword + - name: etag + description: The HTTP etag of this folder + type: keyword + - name: description + description: The optional description of this folder + type: text + - name: path_collection + description: The tree of folders that this folder is contained in, starting at the root + type: object + - name: path_collection.total_count + description: The number of folders in this list + type: long + - name: path_collection.entries + description: The parent folders for this item + type: object + - name: path_collection.entries.type + description: Value is always `folder`. This field is an array + type: array + - name: path_collection.entries.id + description: The unique identifier that represent a folder. This field is an array + type: array + - name: path_collection.entries.name + description: The name of the folder. This field is an array + type: array + - name: created_by + description: The user who created this folder + type: object + - name: created_by.type + description: Value is always `user` + type: keyword + - name: created_by.id + description: The unique identifier for this user + type: keyword + - name: created_by.name + description: The display name of this user. Maps from **.name + type: keyword + - name: created_by.login + description: The primary email address of this user. Maps from **.login + type: keyword + - name: modified_by + description: The user who last modified this folder + type: object + - name: modified_by.type + description: Value is always `user` + type: keyword + - name: modified_by.id + description: The unique identifier for this user + type: keyword + - name: modified_by.name + description: The display name of this user. Maps from **.name + type: keyword + - name: modified_by.login + description: The primary email address of this user. Maps from **.login + type: keyword + - name: created_at + description: The date and time at which this folder was originally created + type: date + - name: modified_at + description: The date and time at which this folder was last updated + type: date + - name: owned_by + description: The user who owns this folder + type: keyword + - name: owned_by.type + description: Value is always `user` + type: keyword + - name: owned_by.id + description: The unique identifier for this user + type: keyword + - name: owned_by.name + description: The display name of this user. Maps from **.name + type: keyword + - name: owned_by.login + description: The primary email address of this user. Maps from **.login + type: keyword + - name: sequence_id + description: A numeric identifier that represents the most recent user event that has been applied to this item + type: keyword + - name: sha1 + description: SHA1 hash of the item concerned + type: keyword + - name: parent + description: The optional folder that this folder is located within. This value may be null for some folders such as the root folder or the trash folder + type: object + - name: parent.type + description: Value is always `folder` + type: keyword + - name: parent.id + description: The unique identifier that represent a folder + type: keyword + - name: parent.name + description: The name of the folder + type: keyword + - name: parent.etag + description: The HTTP etag of this folder + type: keyword + - name: parent.sequence_id + description: A numeric identifier that represents the most recent user event that has been applied to this item (parent) + type: keyword + - name: item_status + description: Defines if this item has been deleted or not. active when the item has is not in the trash trashed when the item has been moved to the trash but not deleted deleted when the item has been permanently deleted. Value is one of `active`, `trashed`, `deleted` + type: keyword + - name: file_version + description: The information about the current version of the file + type: object + - name: file_version.type + description: Value is always `file_version` + type: keyword + - name: file_version.id + description: The unique identifier that represent a file version + type: keyword + - name: synced + description: Legacy property for compatibility with Box Desktop + type: boolean + - name: purged_at + description: The time at which this file is expected to be purged from the trash + type: boolean + - name: trashed_at + description: The time at which this file was put in the trash + type: boolean diff --git a/packages/box_events/0.1.1/data_stream/events/manifest.yml b/packages/box_events/0.1.1/data_stream/events/manifest.yml new file mode 100755 index 0000000000..7f4ce015f4 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/manifest.yml @@ -0,0 +1,33 @@ +title: List user and enterprise events +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Box user and enterprise events + description: Collect user and enterprise events from the Box API + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: true + default: 300s + - name: stream_type + type: text + title: Stream Type + description: >- + To retrieve events for the entire enterprise, set the stream_type to admin_logs_streaming for live monitoring of new events, or admin_logs for querying across historical events. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked. + multi: false + required: true + show_user: true + default: admin_logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false diff --git a/packages/box_events/0.1.1/data_stream/events/sample_event.json b/packages/box_events/0.1.1/data_stream/events/sample_event.json new file mode 100755 index 0000000000..c47816a272 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/events/sample_event.json @@ -0,0 +1,129 @@ +{ + "agent": { + "name": "docker-fleet-agent", + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "ephemeral_id": "02cda318-e8e4-4aab-9dbd-eda10d827a5b", + "type": "filebeat", + "version": "8.2.0" + }, + "elastic_agent": { + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "version": "8.2.0", + "snapshot": false + }, + "box": { + "created_at": "2022-07-20T02:00:54-07:00", + "created_by": { + "id": "19530772260", + "login": "info@elastic.co", + "name": "Elastic Integrations", + "type": "user" + }, + "recorded_at": "2022-07-20T02:00:55-07:00", + "source": { + "created_by": { + "id": "19530772260", + "login": "dominic.page@elastic.co", + "name": "Elastic Integrations", + "type": "user" + }, + "etag": "0", + "id": "167913508968", + "item_status": "active", + "modified_at": "2022-07-20T02:00:53-07:00", + "modified_by": { + "id": "19530772260", + "login": "dominic.page@elastic.co", + "name": "Elastic Integrations", + "type": "user" + }, + "owned_by": { + "id": "19530772260", + "login": "dominic.page@elastic.co", + "name": "Elastic Integrations", + "type": "user" + }, + "parent": { + "id": "0", + "name": "All Files", + "type": "folder" + }, + "path_collection": { + "entries": [ + { + "id": "0", + "name": "All Files", + "type": "folder" + } + ], + "total_count": 1 + }, + "sequence_id": "0", + "synced": false + } + }, + "tags": [ + "preserve_original_event" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2022-07-20T07:00:00.000Z", + "file": { + "created": "2022-07-20T07:00:00.000Z", + "ctime": "2022-07-20T07:00:00.000Z", + "directory": "box-test-4 (1)", + "mtime": "2022-07-20T07:00:00.000Z", + "size": 550, + "type": "folder" + }, + "ecs": { + "version": "8.4.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "box_events.events" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.104-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "family": "debian", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": false, + "ip": [ + "172.30.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:1e:00:07" + ], + "architecture": "x86_64" + }, + "event": { + "action": "ITEM_COPY", + "category": [ + "file" + ], + "id": "b941f182663a862f0125c256a5f0cad4a837092b", + "kind": "event", + "original": "{\"created_at\":\"2022-07-20T02:00:54-07:00\",\"created_by\":{\"id\":\"19530772260\",\"login\":\"info@elastic.co\",\"name\":\"Elastic Integrations\",\"type\":\"user\"},\"event_id\":\"b941f182663a862f0125c256a5f0cad4a837092b\",\"event_type\":\"ITEM_COPY\",\"recorded_at\":\"2022-07-20T02:00:55-07:00\",\"session_id\":null,\"source\":{\"content_created_at\":\"2022-07-20T02:00:53-07:00\",\"content_modified_at\":\"2022-07-20T02:00:53-07:00\",\"created_at\":\"2022-07-20T02:00:53-07:00\",\"created_by\":{\"id\":\"19530772260\",\"login\":\"dominic.page@elastic.co\",\"name\":\"Elastic Integrations\",\"type\":\"user\"},\"description\":\"\",\"etag\":\"0\",\"folder_upload_email\":null,\"id\":\"167913508968\",\"item_status\":\"active\",\"modified_at\":\"2022-07-20T02:00:53-07:00\",\"modified_by\":{\"id\":\"19530772260\",\"login\":\"dominic.page@elastic.co\",\"name\":\"Elastic Integrations\",\"type\":\"user\"},\"name\":\"box-test-4 (1)\",\"owned_by\":{\"id\":\"19530772260\",\"login\":\"dominic.page@elastic.co\",\"name\":\"Elastic Integrations\",\"type\":\"user\"},\"parent\":{\"etag\":null,\"id\":\"0\",\"name\":\"All Files\",\"sequence_id\":null,\"type\":\"folder\"},\"path_collection\":{\"entries\":[{\"etag\":null,\"id\":\"0\",\"name\":\"All Files\",\"sequence_id\":null,\"type\":\"folder\"}],\"total_count\":1},\"purged_at\":null,\"sequence_id\":\"0\",\"shared_link\":null,\"size\":550,\"synced\":false,\"trashed_at\":null,\"type\":\"folder\"},\"type\":\"event\"}", + "sequence": 0, + "type": [ + "creation" + ] + }, + "related": { + "user": [ + "19530772260", + "dominic.page@elastic.co", + "Elastic Integrations" + ] + } +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/agent/stream/httpjson.yml.hbs b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..4f6364e91d --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/agent/stream/httpjson.yml.hbs @@ -0,0 +1,41 @@ +config_version: 2 +interval: "{{interval}}" +auth.oauth2: + client.id: "{{client_id}}" + client.secret: "{{client_secret}}" + token_url: "{{api_url}}/oauth2/token" + endpoint_params: + box_subject_id: "{{box_subject_id}}" + box_subject_type: "{{box_subject_type}}" + grant_type: "{{grant_type}}" + stream_type: "{{stream_type}}" +request.url: "{{api_url}}/2.0/events" +request.method: "GET" +request.transforms: + - set: + target: url.params.stream_position + value: '[[.cursor.next_stream_position]]' +response.decode_as: application/json +response.split: + target: body.entries + type: array + keep_parent: false +cursor: + next_stream_position: + value: '[[.last_response.body.next_stream_position]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- decode_json_fields: + fields: message + target: box +- drop_event: + when: + not: + equals: + box.additional_details.shield_alert.rule_category: "Malicious Content" \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..d409c0b605 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,290 @@ +--- +description: Pipeline for parsing Box Malicious Content Alerts +processors: + - set: + field: ecs.version + value: "8.4.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: box + - date: + field: box.recorded_at + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + if: "ctx.box?.source != null" + - rename: + field: box.session_id + target_field: box.session.id + ignore_missing: true +# `box.type` is always `event` - remove to avoid ambiguity with `event.kind` + - remove: + field: box.type + ignore_missing: true + - set: + field: event.kind + value: "alert" + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - set: + field: event.category + value: ["malware", "threat"] + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - set: + field: event.type + value: ["indicator"] + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - rename: + field: box.event_type + target_field: event.action + ignore_missing: true + - rename: + field: box.event_id + target_field: event.id + ignore_missing: true +# Box Shield can add these fields + - date: + field: box.additional_details.shield_alert.alert_summary.upload_activity.occurred_at + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + - script: + description: Confect malware event Description + lang: painless + source: | + if (ctx.threat == null) { + ctx.threat = new HashMap(); + } + if (ctx.threat?.indicator == null) { + ctx.threat.indicator = new HashMap(); + } + ctx.threat.indicator.description = ctx.box.additional_details.shield_alert.malware_info.malware_name + + ", " + ctx.box.additional_details.shield_alert.malware_info.family + + ", " + ctx.box.additional_details.shield_alert.malware_info.file_name + + " Detected by Box Shield from IP " + ctx.box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.ip + + ". " + ctx.box.additional_details.shield_alert.malware_info.description + + " see " + ctx.box.additional_details.shield_alert.malware_info.detail_link + - rename: + field: box.ip_address + target_field: client.ip + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.risk_score + target_field: event.risk_score + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.city_name + target_field: threat.indicator.geo.city_name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.country_code + target_field: threat.indicator.geo.country_iso_code + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.latitude + target_field: threat.indicator.geo.location.lat + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.longitude + target_field: threat.indicator.geo.location.lon + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.region_name + target_field: threat.indicator.geo.region_name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.upload_activity.ip_info.ip + target_field: threat.indicator.ip + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.link + target_field: threat.indicator.reference + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.rule_category + target_field: rule.category + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.rule_id + type: string + target_field: rule.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.rule_id + ignore_failure: true + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.rule_name + target_field: rule.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.alert_id + type: string + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.email + target_field: user.effective.email + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.name + target_field: user.effective.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.user.id + type: string + target_field: user.effective.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.user.id + ignore_failure: true + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.name + target_field: threat.indicator.provider + ignore_missing: true + - set: + field: threat.indicator.type + value: "software" + - rename: + field: box.additional_details.shield_alert.malware_info.first_seen + target_field: threat.indicator.first_seen + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.malware_info.last_seen + target_field: threat.indicator.last_seen + ignore_missing: true + - append: + field: related.ip + value: "{{{threat.indicator.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.ip + value: "{{{client.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.additional_details.shield_alert.malware_info.file_created_by.email}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.additional_details.shield_alert.malware_info.file_created_by.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.additional_details.shield_alert.malware_info.file_created_by.name}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.additional_details.shield_alert.malware_info.file_version_uploaded_by.email}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.additional_details.shield_alert.malware_info.file_version_uploaded_by.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.additional_details.shield_alert.malware_info.file_version_uploaded_by.name}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.created_by.email}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.box?.created_by?.type == "user" + - append: + field: related.user + value: "{{{box.created_by.id}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.box?.created_by?.type == "user" + - append: + field: related.user + value: "{{{box.created_by.name}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.box?.created_by?.type == "user" + - append: + field: related.user + value: "{{{user.effective.email}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.name}}}" + ignore_failure: true + allow_duplicates: false + - script: + description: Capitalize Priority to match Appendix A of the STIX 2.1 framework + lang: painless + source: | + if (ctx.box?.additional_details?.shield_alert?.priority != null) { + ctx.threat.indicator.confidence = + ctx.box.additional_details.shield_alert.priority.substring(0, 1).toUpperCase() + + ctx.box.additional_details.shield_alert.priority.substring(1); + } +# Do AS look-ups as well + - geoip: + database_file: GeoLite2-ASN.mmdb + field: threat.indicator.ip + target_field: threat.indicator.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: threat.indicator.as.asn + target_field: threat.indicator.as.number + ignore_missing: true + - rename: + field: threat.indicator.as.organization_name + target_field: threat.indicator.as.organization.name + ignore_missing: true +# Conditionally, remove event.original + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +# Drop empty/null fields + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/agent.yml b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/agent.yml new file mode 100755 index 0000000000..8603c3c91e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/agent.yml @@ -0,0 +1,238 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + + - name: cpu.pct + type: scaled_float + format: percent + description: > + Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + + - name: disk.read.bytes + type: long + format: bytes + description: > + The total number of bytes read successfully in a given period of time. + + - name: disk.write.bytes + type: long + format: bytes + description: > + The total number of bytes write successfully in a given period of time. + + - name: network.in.bytes + type: long + format: bytes + description: > + The number of bytes received on all network interfaces by the host in a given period of time. + + - name: network.in.packets + type: long + description: > + The number of packets received on all network interfaces by the host in a given period of time. + + - name: network.out.bytes + type: long + format: bytes + description: > + The number of bytes sent out on all network interfaces by the host in a given period of time. + + - name: network.out.packets + type: long + description: > + The number of packets sent out on all network interfaces by the host in a given period of time. + diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/base-fields.yml b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/base-fields.yml new file mode 100755 index 0000000000..a40b97a145 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: box +- name: event.dataset + type: constant_keyword + description: Event dataset + value: box_events.events +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/ecs.yml b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/ecs.yml new file mode 100755 index 0000000000..473f0fe2b8 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/ecs.yml @@ -0,0 +1,177 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.as.organization.name + type: keyword +- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + name: threat.indicator.confidence + type: keyword +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: The date and time when intelligence source first reported sighting this indicator. + name: threat.indicator.first_seen + type: date +- description: City name. + name: threat.indicator.geo.city_name + type: keyword +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword +- description: Longitude and latitude. + name: threat.indicator.geo.location + type: geo_point +- description: Region name. + name: threat.indicator.geo.region_name + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: User email address. + name: user.effective.email + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/fields.yml b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/fields.yml new file mode 100755 index 0000000000..9771a60c0f --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/fields/fields.yml @@ -0,0 +1,153 @@ +- name: box + type: object + fields: + - name: created_by + type: object + fields: + - name: id + description: The unique identifier for the connection user + type: keyword + - name: name + description: The display name of the connection user. Maps from **.name + type: keyword + - name: login + description: The primary email address of the connection user. Maps from **.login + - name: type + description: E.g. `user` + - name: session.id + description: The session of the user that performed the action. Not all events will populate this attribute + type: keyword + - name: recorded_at + description: The date and time at which this event occurred + type: date + - name: created_at + description: When the event object was created + type: date + - name: additional_details + type: object + fields: + - name: shield_alert + type: object + fields: + - name: alert_id + description: Box Shield alert ID + type: keyword + - name: created_at + description: Time alert was created + type: date + - name: priority + description: Box Shield priority of this alert + type: keyword + - name: alert_summary + type: object + fields: + - name: upload_activity + type: object + fields: + - name: event_type + description: Type of event, e.g. `Upload` + type: keyword + - name: ip_info + type: object + fields: + - name: ip + description: IP address + type: ip + - name: registrant + description: Registrant of IP + - name: item_id + description: ID of item + type: keyword + - name: item_name + description: Name of item + type: keyword + - name: item_path + description: Path to Item + type: keyword + - name: item_type + description: Type of Item + type: keyword + - name: occurred_at + description: Time of Upload + type: keyword + - name: service_name + description: Service used to upload the suspected Malware + type: keyword + - name: malware_info + type: object + fields: + - name: categories + description: Array of Malware Categories e.g. `Adware`, `Spyware` + type: keyword + - name: description + description: Describes the Malware + type: keyword + - name: detail_link + description: URL with detail of Malware + type: keyword + - name: family + description: Malware Family + type: keyword + - name: file_created + description: Date of file creation + type: date + - name: file_created_by + type: object + fields: + - name: email + description: Email of file creator + type: keyword + - name: id + description: ID of file creator + type: long + - name: name + description: Display name of file creator + type: keyword + - name: file_hash + description: File hash + type: keyword + - name: file_hash_type + description: Hash type, e.g. `SHA-1` + type: keyword + - name: file_id + description: File ID + type: long + - name: file_name + description: File name + type: keyword + - name: file_size_bytes + description: File size in bytes + type: long + - name: file_version + description: File version + type: long + - name: file_version_uploaded + description: Date this version of file was uploaded + type: date + - name: file_version_uploaded_by + type: object + fields: + - name: email + description: Email of file uploader + type: keyword + - name: id + description: ID of file uploader + type: long + - name: name + description: Display name of file uploader + type: keyword + - name: first_seen + description: Time Malware first observed + type: date + - name: last_seen + description: Time Malware last observed + type: date + - name: malware_name + description: Malware name + type: keyword + - name: status + description: Malware status e.g. `Malicious` + type: keyword + - name: tags + description: Array of Malware Tags e.g. `FILE_MALICIOUS_EXECUTION` + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/manifest.yml b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/manifest.yml new file mode 100755 index 0000000000..69136983b3 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/manifest.yml @@ -0,0 +1,33 @@ +title: List user and enterprise events +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Box Shield Malicious Content Alerts + description: Collect Box Shield Malicious Content Alerts with appropriate Box Opt-in Settings + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: true + default: 300s + - name: stream_type + type: text + title: Stream Type + description: >- + To retrieve events for the entire enterprise, set the stream_type to admin_logs_streaming for live monitoring of new events, or admin_logs for querying across historical events. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked. + multi: false + required: true + show_user: true + default: admin_logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false diff --git a/packages/box_events/0.1.1/data_stream/malicious_content_alerts/sample_event.json b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/sample_event.json new file mode 100755 index 0000000000..5a56130eaa --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/malicious_content_alerts/sample_event.json @@ -0,0 +1,180 @@ +{ + "agent": { + "name": "docker-fleet-agent", + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "ephemeral_id": "02cda318-e8e4-4aab-9dbd-eda10d827a5b", + "type": "filebeat", + "version": "8.4.0" + }, + "elastic_agent": { + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "version": "8.4.0", + "snapshot": false + }, + "box": { + "additional_details": { + "shield_alert": { + "alert_id": "2398", + "alert_summary": { + "upload_activity": { + "event_type": "Upload", + "ip_info": { + "registrant": "Microsoft Corporation" + }, + "item_id": "127", + "item_name": "virus.exe", + "item_path": "ABC/DEF", + "item_type": "file", + "occurred_at": "2019-12-20T11:37:05-08:00", + "service_name": "Service name" + } + }, + "created_at": "2019-12-20T11:37:15-08:00", + "malware_info": { + "categories": [ + "Adware", + "SpyWare" + ], + "description": "This is a really bad file", + "detail_link": "https://some.link/xyz", + "family": "MalwareBot4000", + "file_created": "2019-12-20T11:37:05-08:00", + "file_created_by": { + "email": "bob@enterprise.com", + "id": 1010, + "name": "Bob" + }, + "file_hash": "d869db7fe62fb07c25a0403ecaea55031744b5fb", + "file_hash_type": "SHA-1", + "file_id": 127, + "file_name": "malware.exe", + "file_size_bytes": 51345, + "file_version": 4239023, + "file_version_uploaded": "2019-12-20T11:37:05-08:00", + "file_version_uploaded_by": { + "email": "jane@enterprise.com", + "id": 1011, + "name": "Jane" + }, + "malware_name": "BadMalware", + "status": "Malicious", + "tags": [ + "FILE_MALICIOUS_EXECUTION", + "FILE_OTHER_TAG" + ] + }, + "priority": "medium" + } + }, + "created_at": "2019-12-20T11:38:56-08:00", + "created_by": { + "id": "2", + "name": "Unknown User", + "type": "user" + } + }, + "tags": [ + "preserve_original_event" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2019-12-20T08:00:00.000Z", + "ecs": { + "version": "8.4.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "box_events.malicious_content_alerts" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.104-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "family": "debian", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": false, + "ip": [ + "172.30.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:1e:00:07" + ], + "architecture": "x86_64" + }, + "event": { + "action": "SHIELD_ALERT", + "category": [ + "malware", + "threat" + ], + "id": "97f1b31f-f143-4777-81f8-1b557b39ca33", + "kind": "alert", + "original": "{\"source\":null,\"created_by\":{\"type\":\"user\",\"id\":\"2\",\"name\":\"Unknown User\",\"login\":\"\"},\"action_by\":null,\"created_at\":\"2019-12-20T11:38:56-08:00\",\"event_id\":\"97f1b31f-f143-4777-81f8-1b557b39ca33\",\"event_type\":\"SHIELD_ALERT\",\"ip_address\":\"10.1.2.3\",\"type\":\"event\",\"session_id\":null,\"additional_details\":{\"shield_alert\":{\"rule_category\":\"Malicious Content\",\"rule_id\":123,\"rule_name\":\"Viruses and stuff\",\"risk_score\":100,\"alert_summary\":{\"upload_activity\":{\"occurred_at\":\"2019-12-20T11:37:05-08:00\",\"event_type\":\"Upload\",\"item_name\":\"virus.exe\",\"item_type\":\"file\",\"item_id\":\"127\",\"item_path\":\"ABC/DEF\",\"sha1_hash\":\"\",\"ip_info\":{\"ip\":\"67.43.156.0\",\"latitude\":\"37.5555\",\"longitude\":\"-120.6789\",\"registrant\":\"Microsoft Corporation\",\"country_code\":\"US\",\"city_name\":\"San Jose\",\"region_name\":\"California\"},\"service_name\":\"Service name\"}},\"malware_info\":{\"file_id\":127,\"file_name\":\"malware.exe\",\"file_version\":4239023,\"file_created\":\"2019-12-20T11:37:05-08:00\",\"file_created_by\":{\"id\":1010,\"name\":\"Bob\",\"email\":\"bob@enterprise.com\"},\"file_hash\":\"d869db7fe62fb07c25a0403ecaea55031744b5fb\",\"file_hash_type\":\"SHA-1\",\"file_size_bytes\":51345,\"file_version_uploaded\":\"2019-12-20T11:37:05-08:00\",\"file_version_uploaded_by\":{\"id\":1011,\"name\":\"Jane\",\"email\":\"jane@enterprise.com\"},\"status\":\"Malicious\",\"categories\":[\"Adware\",\"SpyWare\"],\"tags\":[\"FILE_MALICIOUS_EXECUTION\",\"FILE_OTHER_TAG\"],\"description\":\"This is a really bad file\",\"detail_link\":\"https://some.link/xyz\",\"malware_name\":\"BadMalware\",\"first_seen\":\"2019-12-19T11:37:05-08:00\",\"last_seen\":\"2019-12-20T11:37:05-08:00\",\"family\":\"MalwareBot4000\"},\"alert_id\":2398,\"priority\":\"medium\",\"user\":{\"id\":2320,\"name\":\"Some Name\",\"email\":\"some@email.com\"},\"link\":\"https://app.box.com/master/shield/alerts/2398\",\"created_at\":\"2019-12-20T11:37:15-08:00\"}}}", + "risk_score": 100, + "type": [ + "indicator" + ] + }, + "rule": { + "category": "Malicious Content", + "id": "123", + "name": "Viruses and stuff" + }, + "related": { + "ip": [ + "67.43.156.0", + "10.1.2.3" + ], + "user": [ + "bob@enterprise.com", + "1010", + "Bob", + "jane@enterprise.com", + "1011", + "Jane", + "2", + "Unknown User", + "some@email.com", + "2320", + "Some Name" + ] + }, + "threat": { + "indicator": { + "as": { + "number": 35908 + }, + "confidence": "Medium", + "description": "BadMalware, MalwareBot4000, malware.exe Detected by Box Shield from IP 67.43.156.0. This is a really bad file see https://some.link/xyz", + "first_seen": "2019-12-19T11:37:05-08:00", + "geo": { + "city_name": "San Jose", + "country_iso_code": "US", + "location": { + "lat": "37.5555", + "lon": "-120.6789" + }, + "region_name": "California" + }, + "ip": "67.43.156.0", + "last_seen": "2019-12-20T11:37:05-08:00", + "reference": "https://app.box.com/master/shield/alerts/2398", + "type": "software" + } + }, + "user": { + "effective": { + "email": "some@email.com", + "id": "2320", + "name": "Some Name" + } + } +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/agent/stream/httpjson.yml.hbs b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..fb48da073b --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/agent/stream/httpjson.yml.hbs @@ -0,0 +1,45 @@ +config_version: 2 +interval: "{{interval}}" +auth.oauth2: + client.id: "{{client_id}}" + client.secret: "{{client_secret}}" + token_url: "{{api_url}}/oauth2/token" + endpoint_params: + box_subject_id: "{{box_subject_id}}" + box_subject_type: "{{box_subject_type}}" + grant_type: "{{grant_type}}" + stream_type: "{{stream_type}}" +request.url: "{{api_url}}/2.0/events" +request.method: "GET" +request.transforms: + - set: + target: url.params.stream_position + value: '[[.cursor.next_stream_position]]' +response.decode_as: application/json +response.split: + target: body.entries + type: array + keep_parent: false + split: + target: body.additional_details.shield_alert.alert_summary.alert_activities + type: array + keep_parent: true +cursor: + next_stream_position: + value: '[[.last_response.body.next_stream_position]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- decode_json_fields: + fields: message + target: box +- drop_event: + when: + not: + equals: + box.additional_details.shield_alert.rule_category: "Suspicious Locations" \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0ee0499110 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,278 @@ +--- +description: Pipeline for parsing Box Suspicious Locations Alerts +processors: + - set: + field: ecs.version + value: "8.4.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: box + - rename: + field: box.session_id + target_field: box.session.id + ignore_missing: true +# `box.type` is always `event` - remove to avoid ambiguity with `event.kind` + - remove: + field: box.type + ignore_missing: true + - set: + field: event.kind + value: "alert" + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - set: + field: event.category + value: ["network"] + ignore_failure: true + - set: + field: event.type + value: ["access","connection","indicator"] + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - rename: + field: box.event_type + target_field: event.action + ignore_missing: true + - rename: + field: box.event_id + target_field: event.id + ignore_missing: true +# Box Shield can add these fields + - date: + field: box.additional_details.shield_alert.alert_summary.alert_activities.occurred_at + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + if: "ctx.box?.additional_details != null" + - rename: + field: box.ip_address + target_field: client.ip + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.risk_score + target_field: event.risk_score + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.link + target_field: threat.indicator.reference + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.rule_category + target_field: rule.category + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.rule_id + type: string + target_field: rule.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.rule_id + ignore_failure: true + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.rule_name + target_field: rule.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.alert_id + type: string + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.email + target_field: user.effective.email + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.name + target_field: user.effective.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.user.id + type: string + target_field: user.effective.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.user.id + ignore_failure: true + ignore_missing: true +# locations + - script: + description: Set STIX indicator type + lang: painless + source: | + if (ctx.threat == null) { + ctx.threat = new HashMap(); + } + if (ctx.threat?.indicator == null) { + ctx.threat.indicator = new HashMap(); + } + if (ctx.box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.ip.indexOf(":") > -1) { + ctx.threat.indicator.put("type","ipv6-addr"); + } else { + ctx.threat.indicator.put("type","ipv4-addr"); + } + - script: + description: Confect description from multiple fields + lang: painless + source: | + ctx.threat.indicator.description = "IP " + + ctx.box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.ip + " " + + ctx.box.additional_details.shield_alert.alert_summary.alert_activities.event_type + " " + + ctx.box.additional_details.shield_alert.alert_summary.alert_activities.item_type + " " + + ctx.box.additional_details.shield_alert.alert_summary.alert_activities.item_path + "/" + + ctx.box.additional_details.shield_alert.alert_summary.alert_activities.item_name + " by " + + ctx.box.additional_details.shield_alert.alert_summary.alert_activities.service_name + - rename: + field: box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.longitude + target_field: threat.indicator.geo.location.lon + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.latitude + target_field: threat.indicator.geo.location.lat + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.city_name + target_field: threat.indicator.geo.city_name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.country_code + target_field: threat.indicator.geo.country_iso_code + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.country_name + target_field: threat.indicator.geo.country_name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.alert_activities.ip_info.ip + target_field: threat.indicator.ip + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.service_name + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.link + target_field: threat.indicator.reference + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.alert_id + type: string + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.email + target_field: user.effective.email + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.name + target_field: user.effective.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.user.id + type: string + target_field: user.effective.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.user.id + ignore_failure: true + ignore_missing: true + - append: + field: related.ip + value: "{{{threat.indicator.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.ip + value: "{{{client.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.created_by.email}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.event?.type == "user" + - append: + field: related.user + value: "{{{box.created_by.id}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.event?.type == "user" + - append: + field: related.user + value: "{{{box.created_by.name}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.event?.type == "user" + - append: + field: related.user + value: "{{{user.effective.email}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.name}}}" + ignore_failure: true + allow_duplicates: false + - script: + description: Capitalize Priority to match Appendix A of the STIX 2.1 framework + lang: painless + source: | + if (ctx.box?.additional_details?.shield_alert?.priority != null) { + ctx.threat.indicator.confidence = + ctx.box.additional_details.shield_alert.priority.substring(0, 1).toUpperCase() + + ctx.box.additional_details.shield_alert.priority.substring(1); + } +# Do AS look-ups as well + - geoip: + database_file: GeoLite2-ASN.mmdb + field: threat.indicator.ip + target_field: threat.indicator.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: threat.indicator.as.asn + target_field: threat.indicator.as.number + ignore_missing: true + - rename: + field: threat.indicator.as.organization_name + target_field: threat.indicator.as.organization.name + ignore_missing: true +# Conditionally, remove event.original + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +# Drop empty/null fields + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/agent.yml b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/agent.yml new file mode 100755 index 0000000000..8603c3c91e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/agent.yml @@ -0,0 +1,238 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + + - name: cpu.pct + type: scaled_float + format: percent + description: > + Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + + - name: disk.read.bytes + type: long + format: bytes + description: > + The total number of bytes read successfully in a given period of time. + + - name: disk.write.bytes + type: long + format: bytes + description: > + The total number of bytes write successfully in a given period of time. + + - name: network.in.bytes + type: long + format: bytes + description: > + The number of bytes received on all network interfaces by the host in a given period of time. + + - name: network.in.packets + type: long + description: > + The number of packets received on all network interfaces by the host in a given period of time. + + - name: network.out.bytes + type: long + format: bytes + description: > + The number of bytes sent out on all network interfaces by the host in a given period of time. + + - name: network.out.packets + type: long + description: > + The number of packets sent out on all network interfaces by the host in a given period of time. + diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/base-fields.yml b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/base-fields.yml new file mode 100755 index 0000000000..a40b97a145 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: box +- name: event.dataset + type: constant_keyword + description: Event dataset + value: box_events.events +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/ecs.yml b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/ecs.yml new file mode 100755 index 0000000000..996e7e5ea8 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/ecs.yml @@ -0,0 +1,176 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: A list of associated indicators objects enriching the event, and the context of that association/enrichment. + name: threat.enrichments + normalize: + - array + type: nested +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.as.organization.name + type: keyword +- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + name: threat.indicator.confidence + type: keyword +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: City name. + name: threat.indicator.geo.city_name + type: keyword +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword +- description: Longitude and latitude. + name: threat.indicator.geo.location + type: geo_point +- description: Region name. + name: threat.indicator.geo.region_name + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: User email address. + name: user.effective.email + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/fields.yml b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/fields.yml new file mode 100755 index 0000000000..0a642eb60d --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/fields/fields.yml @@ -0,0 +1,85 @@ +- name: box + type: object + fields: + - name: created_by + type: object + fields: + - name: id + description: The unique identifier for the connection user + type: keyword + - name: name + description: The display name of the connection user. Maps from **.name + type: keyword + - name: login + description: The primary email address of the connection user. Maps from **.login + - name: type + description: E.g. `user` + - name: session.id + description: The session of the user that performed the action. Not all events will populate this attribute + type: keyword + - name: recorded_at + description: The date and time at which this event occurred + type: date + - name: created_at + description: When the event object was created + type: date + - name: additional_details + type: object + fields: + - name: shield_alert + type: object + fields: + - name: alert_id + description: Box Shield alert ID + type: keyword + - name: priority + description: Box alert priority e.g. `medium` + type: keyword + - name: created_at + description: when the alert was created + type: date + - name: alert_summary + type: object + fields: + - name: alert_activities + type: object + fields: + - name: event_type + description: Event type, e.g. `Download` + type: keyword + - name: item_id + description: Item ID type, e.g. `123` + type: keyword + - name: item_name + description: Item name, e.g. `xyz.txt` + type: keyword + - name: item_path + description: Item path, e.g. `ABC/DEF` + type: keyword + - name: item_type + description: Item type, e.g. `file` + type: keyword + - name: occurred_at + description: When the alert occurred + type: date + - name: service_name + description: Name of the service, e.g. `Box Excel Online Previewer` + type: keyword + - name: ip_info + type: object + fields: + - name: city_name + description: City name e.g. `San Jose` + type: keyword + - name: country_code + description: City name e.g. `US` + type: keyword + - name: ip + description: IP + type: ip + - name: region_name + description: City name e.g. `California` + type: keyword + - name: registrant + description: City name e.g. `Microsoft Corporation` + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/manifest.yml b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/manifest.yml new file mode 100755 index 0000000000..d09429f35b --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/manifest.yml @@ -0,0 +1,33 @@ +title: List user and enterprise events +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Box Shield Suspicious Locations Alerts + description: Collect Box Shield Suspicious Locations Alerts with appropriate Box Opt-in Settings + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: true + default: 300s + - name: stream_type + type: text + title: Stream Type + description: >- + To retrieve events for the entire enterprise, set the stream_type to admin_logs_streaming for live monitoring of new events, or admin_logs for querying across historical events. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked. + multi: false + required: true + show_user: true + default: admin_logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false diff --git a/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/sample_event.json b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/sample_event.json new file mode 100755 index 0000000000..57c5ba6fe4 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_locations_alerts/sample_event.json @@ -0,0 +1,141 @@ +{ + "agent": { + "name": "docker-fleet-agent", + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "ephemeral_id": "02cda318-e8e4-4aab-9dbd-eda10d827a5b", + "type": "filebeat", + "version": "8.4.0" + }, + "elastic_agent": { + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "version": "8.4.0", + "snapshot": false + }, + "box": { + "additional_details": { + "shield_alert": { + "alert_id": "2398", + "alert_summary": { + "alert_activities": { + "event_type": "Download", + "ip_info": { + "region_name": "California", + "registrant": "Microsoft Corporation" + }, + "item_id": "127", + "item_name": "xyz.txt", + "item_path": "ABC/DEF", + "item_type": "file", + "occurred_at": "2019-12-20T11:37:05-08:00", + "service_name": "Box Excel Online Previewer" + } + }, + "created_at": "2019-12-20T11:37:15-08:00", + "priority": "medium" + } + }, + "created_at": "2019-12-20T11:38:56-08:00", + "created_by": { + "id": "2", + "name": "Unknown User", + "type": "user" + } + }, + "client": { + "ip": "10.1.2.3" + }, + "tags": [ + "preserve_original_event" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2022-07-05T07:00:00.000Z", + "event": { + "action": "SHIELD_ALERT", + "category": [ + "network" + ], + "id": "97f1b31f-f143-4777-81f8-1b557b39ca33", + "kind": "alert", + "original": "{\"action_by\":null,\"additional_details\":{\"shield_alert\":{\"alert_id\":2398,\"alert_summary\":{\"alert_activities\":{\"event_type\":\"Download\",\"ip_info\":{\"city_name\":\"San Jose\",\"country_code\":\"US\",\"ip\":\"67.43.156.0\",\"latitude\":\"37.5555\",\"longitude\":\"-120.6789\",\"region_name\":\"California\",\"registrant\":\"Microsoft Corporation\"},\"item_id\":\"127\",\"item_name\":\"xyz.txt\",\"item_path\":\"ABC/DEF\",\"item_type\":\"file\",\"occurred_at\":\"2019-12-20T11:37:05-08:00\",\"service_name\":\"Box Excel Online Previewer\"}},\"created_at\":\"2019-12-20T11:37:15-08:00\",\"link\":\"https://app.box.com/master/shield/alerts/2398\",\"priority\":\"medium\",\"risk_score\":60,\"rule_category\":\"Suspicious Locations\",\"rule_id\":123,\"rule_name\":\"Suspicious Location\",\"user\":{\"email\":\"some@email.com\",\"id\":2320,\"name\":\"Some name\"}}},\"created_at\":\"2019-12-20T11:38:56-08:00\",\"created_by\":{\"id\":\"2\",\"login\":\"\",\"name\":\"Unknown User\",\"type\":\"user\"},\"event_id\":\"97f1b31f-f143-4777-81f8-1b557b39ca33\",\"event_type\":\"SHIELD_ALERT\",\"ip_address\":\"10.1.2.3\",\"session_id\":null,\"source\":null,\"type\":\"event\"}", + "risk_score": 60, + "type": [ + "access", + "connection", + "indicator" + ] + }, + "related": { + "ip": [ + "67.43.156.0", + "10.1.2.3" + ], + "user": [ + "some@email.com", + "2320", + "Some name" + ] + }, + "rule": { + "category": "Suspicious Locations", + "id": "123", + "name": "Suspicious Location" + }, + "ecs": { + "version": "8.4.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "box_events.suspicious_locations" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.104-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "family": "debian", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": false, + "ip": [ + "172.30.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:1e:00:07" + ], + "architecture": "x86_64" + }, + "threat": { + "indicator": { + "as": { + "number": 35908 + }, + "confidence": "Medium", + "description": "IP 67.43.156.0Download file ABC/DEF/xyz.txt by Box Excel Online Previewer", + "geo": { + "city_name": "San Jose", + "country_iso_code": "US", + "location": { + "lat": "37.5555", + "lon": "-120.6789" + } + }, + "ip": "67.43.156.0", + "reference": "https://app.box.com/master/shield/alerts/2398", + "type": "ipv4-addr" + } + }, + "user": { + "effective": { + "email": "some@email.com", + "id": "2320", + "name": "Some name" + } + } +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/agent/stream/httpjson.yml.hbs b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..94fa8acac6 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/agent/stream/httpjson.yml.hbs @@ -0,0 +1,49 @@ +config_version: 2 +interval: "{{interval}}" +auth.oauth2: + client.id: "{{client_id}}" + client.secret: "{{client_secret}}" + token_url: "{{api_url}}/oauth2/token" + endpoint_params: + box_subject_id: "{{box_subject_id}}" + box_subject_type: "{{box_subject_type}}" + grant_type: "{{grant_type}}" + stream_type: "{{stream_type}}" +request.url: "{{api_url}}/2.0/events" +request.method: "GET" +request.transforms: + - set: + target: url.params.stream_position + value: '[[.cursor.next_stream_position]]' +response.decode_as: application/json +response.split: + target: body.entries + type: array + keep_parent: false + split: + target: body.additional_details.shield_alert.alert_summary.sessions + type: array + keep_parent: true + split: + target: body.additional_details.shield_alert.alert_summary.sessions.activities + type: array + keep_parent: true +cursor: + next_stream_position: + value: '[[.last_response.body.next_stream_position]]' +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- decode_json_fields: + fields: message + target: box +- drop_event: + when: + not: + equals: + box.additional_details.shield_alert.rule_category: "Suspicious Sessions" diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..36f844d479 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,241 @@ +--- +description: Pipeline for parsing Box Suspicious Sessions Alerts +processors: + - set: + field: ecs.version + value: "8.4.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: box + - rename: + field: box.session_id + target_field: box.session.id + ignore_missing: true +# `box.type` is always `event` - remove to avoid ambiguity with `event.kind` + - remove: + field: box.type + ignore_missing: true + - set: + field: event.kind + value: "alert" + ignore_failure: true + - set: + field: event.category + value: ["network"] + ignore_failure: true + - append: + field: event.type + value: ["access","connection","indicator"] + if: "ctx.box?.additional_details?.shield_alert != null" + ignore_failure: true + - rename: + field: box.event_type + target_field: event.action + ignore_missing: true + - rename: + field: box.event_id + target_field: event.id + ignore_missing: true +# Box Shield can add these fields + - date: + field: box.additional_details.shield_alert.created_at + target_field: "@timestamp" + ignore_failure: true + formats: + - yyyy-MM-dd'T'hh:mm:ssXXX + if: "ctx.box?.additional_details != null" + - rename: + field: box.additional_details.shield_alert.rule_category + target_field: rule.category + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.rule_id + type: string + target_field: rule.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.rule_id + ignore_failure: true + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.rule_name + target_field: rule.name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.risk_score + target_field: event.risk_score + ignore_missing: true +# sessions + - set: + value: "user-account" + field: threat.indicator.type + - script: + description: Confect description from multiple fields + lang: painless + source: | + ctx.threat.indicator.description = "IP " + + ctx.box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.ip + " " + + ctx.box.additional_details.shield_alert.alert_summary.sessions.activities.event_type + " " + + ctx.box.additional_details.shield_alert.alert_summary.sessions.activities.item_type + " " + + ctx.box.additional_details.shield_alert.alert_summary.sessions.activities.item_path + "/" + + ctx.box.additional_details.shield_alert.alert_summary.sessions.activities.item_name + " by " + + ctx.box.additional_details.shield_alert.alert_summary.sessions.activities.service_name + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.longitude + target_field: threat.indicator.geo.location.lon + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.latitude + target_field: threat.indicator.geo.location.lat + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.city_name + target_field: threat.indicator.geo.city_name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.country_code + target_field: threat.indicator.geo.country_iso_code + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.region_name + target_field: threat.indicator.geo.region_name + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.ip + target_field: threat.indicator.ip + ignore_missing: true +# country name is not reflected in the API docs: this is where it would go were that to be rectified +# - rename: +# field: box.additional_details.shield_alert.alert_summary.sessions.activities.ip_info.country_name +# target_field: threat.indicator.geo.country_name +# ignore_missing: true + - rename: + field: box.additional_details.shield_alert.alert_summary.sessions.activities.service_name + target_field: threat.indicator.provider + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.link + target_field: threat.indicator.reference + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.alert_id + type: string + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.email + target_field: user.effective.email + ignore_missing: true + - rename: + field: box.additional_details.shield_alert.user.name + target_field: user.effective.name + ignore_missing: true + - convert: + field: box.additional_details.shield_alert.user.id + type: string + target_field: user.effective.id + ignore_missing: true + - remove: + field: box.additional_details.shield_alert.user.id + ignore_failure: true + ignore_missing: true + - append: + field: related.ip + value: "{{{threat.indicator.ip}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.ip + value: "{{{box.ip_address}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{box.created_by.email}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.event?.type == "user" + - append: + field: related.user + value: "{{{box.created_by.id}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.event?.type == "user" + - append: + field: related.user + value: "{{{box.created_by.name}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.event?.type == "user" + - append: + field: related.user + value: "{{{user.effective.email}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.id}}}" + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: "{{{user.effective.name}}}" + ignore_failure: true + allow_duplicates: false + - script: + description: Capitalize Priority to match Appendix A of the STIX 2.1 framework + lang: painless + source: | + if (ctx.box?.additional_details?.shield_alert?.priority != null) { + ctx.threat.indicator.confidence = + ctx.box.additional_details.shield_alert.priority.substring(0, 1).toUpperCase() + + ctx.box.additional_details.shield_alert.priority.substring(1); + } +# Do AS look-ups as well + - geoip: + database_file: GeoLite2-ASN.mmdb + field: threat.indicator.ip + target_field: threat.indicator.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: threat.indicator.as.asn + target_field: threat.indicator.as.number + ignore_missing: true + - rename: + field: threat.indicator.as.organization_name + target_field: threat.indicator.as.organization.name + ignore_missing: true +# Conditionally, remove event.original + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +# Drop empty/null fields + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/agent.yml b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/agent.yml new file mode 100755 index 0000000000..8603c3c91e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/agent.yml @@ -0,0 +1,238 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + + - name: cpu.pct + type: scaled_float + format: percent + description: > + Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + + - name: disk.read.bytes + type: long + format: bytes + description: > + The total number of bytes read successfully in a given period of time. + + - name: disk.write.bytes + type: long + format: bytes + description: > + The total number of bytes write successfully in a given period of time. + + - name: network.in.bytes + type: long + format: bytes + description: > + The number of bytes received on all network interfaces by the host in a given period of time. + + - name: network.in.packets + type: long + description: > + The number of packets received on all network interfaces by the host in a given period of time. + + - name: network.out.bytes + type: long + format: bytes + description: > + The number of bytes sent out on all network interfaces by the host in a given period of time. + + - name: network.out.packets + type: long + description: > + The number of packets sent out on all network interfaces by the host in a given period of time. + diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/base-fields.yml b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/base-fields.yml new file mode 100755 index 0000000000..a40b97a145 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: box +- name: event.dataset + type: constant_keyword + description: Event dataset + value: box_events.events +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/ecs.yml b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/ecs.yml new file mode 100755 index 0000000000..355aba04d5 --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/ecs.yml @@ -0,0 +1,174 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: threat.indicator.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: threat.indicator.as.organization.name + type: keyword +- description: Identifies a threat indicator as an IP address (irrespective of direction). + name: threat.indicator.ip + type: ip +- description: Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. + name: threat.indicator.confidence + type: keyword +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: City name. + name: threat.indicator.geo.city_name + type: keyword +- description: Country ISO code. + name: threat.indicator.geo.country_iso_code + type: keyword +- description: Longitude and latitude. + name: threat.indicator.geo.location + type: geo_point +- description: Region name. + name: threat.indicator.geo.region_name + type: keyword +- description: The name of the indicator's provider. + name: threat.indicator.provider + type: keyword +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: Type of indicator as represented by Cyber Observable in STIX 2.0. + name: threat.indicator.type + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: User email address. + name: user.effective.email + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/fields.yml b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/fields.yml new file mode 100755 index 0000000000..2400a4cc8b --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/fields/fields.yml @@ -0,0 +1,96 @@ +- name: box + type: object + fields: + - name: created_by + type: object + fields: + - name: id + description: The unique identifier for the connection user + type: keyword + - name: name + description: The display name of the connection user. Maps from **.name + type: keyword + - name: login + description: The primary email address of the connection user. Maps from **.login + - name: type + description: E.g. `user` + - name: ip_address + description: The IP of the connection user + - name: session.id + description: The session of the user that performed the action. Not all events will populate this attribute + type: keyword + - name: recorded_at + description: The date and time at which this event occurred + type: date + - name: created_at + description: When the event object was created + type: date + - name: additional_details + type: object + fields: + - name: shield_alert + type: object + fields: + - name: alert_id + description: Box Shield alert ID + type: keyword + - name: priority + description: Box alert priority e.g. `medium` + type: keyword + - name: created_at + description: when the alert was created + type: date + - name: alert_summary + type: object + fields: + - name: description + description: Description of the session which participated in the alert + type: keyword + - name: sessions + type: object + fields: + - name: session_type + description: Session qualification e.g. `suspicious`` + type: keyword + - name: activities + type: object + fields: + - name: event_type + description: Event type, e.g. `Download` + type: keyword + - name: item_id + description: Item ID type, e.g. `123` + type: keyword + - name: item_name + description: Item name, e.g. `xyz.txt` + type: keyword + - name: item_path + description: Item path, e.g. `ABC/DEF` + type: keyword + - name: item_type + description: Item type, e.g. `file` + type: keyword + - name: occurred_at + description: When the alert occurred + type: date + - name: service_name + description: Name of the service, e.g. `Box Excel Online Previewer` + type: keyword + - name: ip_info + type: object + fields: + - name: city_name + description: City name e.g. `San Jose` + type: keyword + - name: country_code + description: City name e.g. `US` + type: keyword + - name: ip + description: IP + type: ip + - name: region_name + description: City name e.g. `California` + type: keyword + - name: registrant + description: City name e.g. `Microsoft Corporation` + type: keyword diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/manifest.yml b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/manifest.yml new file mode 100755 index 0000000000..9331f4b54d --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/manifest.yml @@ -0,0 +1,33 @@ +title: List user and enterprise events +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Box Shield Suspicious Sessions Alerts + description: Collect Box Shield Suspicious Sessions Alerts with appropriate Box Opt-in Settings + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. + multi: false + required: true + show_user: true + default: 300s + - name: stream_type + type: text + title: Stream Type + description: >- + To retrieve events for the entire enterprise, set the stream_type to admin_logs_streaming for live monitoring of new events, or admin_logs for querying across historical events. The user making the API call will need to have admin privileges, and the application will need to have the scope manage enterprise properties checked. + multi: false + required: true + show_user: true + default: admin_logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false diff --git a/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/sample_event.json b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/sample_event.json new file mode 100755 index 0000000000..060bcfdb2e --- /dev/null +++ b/packages/box_events/0.1.1/data_stream/suspicious_sessions_alerts/sample_event.json @@ -0,0 +1,140 @@ +{ + "agent": { + "name": "docker-fleet-agent", + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "ephemeral_id": "02cda318-e8e4-4aab-9dbd-eda10d827a5b", + "type": "filebeat", + "version": "8.4.0" + }, + "elastic_agent": { + "id": "352eeec2-76a1-41a2-9ee1-8bae9d9ae980", + "version": "8.4.0", + "snapshot": false + }, + "box": { + "additional_details": { + "shield_alert": { + "alert_id": "500", + "alert_summary": { + "description": "First time in prior month user connected from ip 81.2.69.142 First time user agent Some User Agent (Some UA 4.5.6) appeared for user within prior month Apparent distance 9580.0 km between events 59 seconds apart is faster than possible", + "sessions": { + "activities": { + "event_type": "Set shared link expiration", + "ip_info": { + "registrant": "Microsoft Corporation" + }, + "item_id": "123456", + "item_name": "xyz.txt", + "item_path": "ABC/DEF", + "item_type": "file", + "occurred_at": "2019-12-19T11:37:00-08:00" + }, + "session_type": "suspicious" + } + }, + "created_at": "2019-12-20T11:38:16-08:00", + "priority": "medium" + } + }, + "created_at": "2019-12-20T11:38:56-08:00", + "created_by": { + "id": "2", + "name": "Unknown User", + "type": "user" + }, + "ip_address": "10.1.2.3" + }, + "tags": [ + "preserve_original_event" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2019-12-20T08:00:00.000Z", + "event": { + "action": "SHIELD_ALERT", + "category": [ + "network" + ], + "id": "97f1b31f-f143-4777-81f8-1b557b39ca33", + "kind": "alert", + "original": "{\"action_by\":null,\"additional_details\":{\"shield_alert\":{\"alert_id\":500,\"alert_summary\":{\"description\":\"First time in prior month user connected from ip 81.2.69.142 First time user agent Some User Agent (Some UA 4.5.6) appeared for user within prior month Apparent distance 9580.0 km between events 59 seconds apart is faster than possible\",\"sessions\":{\"activities\":{\"event_type\":\"Set shared link expiration\",\"ip_info\":{\"city_name\":\"San Jose\",\"country_code\":\"US\",\"ip\":\"81.2.69.142\",\"latitude\":\"37.5555\",\"longitude\":\"-120.6789\",\"region_name\":\"California\",\"registrant\":\"Microsoft Corporation\"},\"item_id\":\"123456\",\"item_name\":\"xyz.txt\",\"item_path\":\"ABC/DEF\",\"item_type\":\"file\",\"occurred_at\":\"2019-12-19T11:37:00-08:00\",\"service_name\":\"ServiceName\"},\"session_type\":\"suspicious\"}},\"created_at\":\"2019-12-20T11:38:16-08:00\",\"link\":\"https://cloud.app.box.com/master/shield/alerts/500\",\"priority\":\"medium\",\"risk_score\":77,\"rule_category\":\"Suspicious Sessions\",\"rule_id\":123,\"rule_name\":\"Suspicious Session\",\"user\":{\"email\":\"a@b.c\",\"id\":50500,\"name\":\"A b c\"}}},\"created_at\":\"2019-12-20T11:38:56-08:00\",\"created_by\":{\"id\":\"2\",\"login\":\"\",\"name\":\"Unknown User\",\"type\":\"user\"},\"event_id\":\"97f1b31f-f143-4777-81f8-1b557b39ca33\",\"event_type\":\"SHIELD_ALERT\",\"ip_address\":\"10.1.2.3\",\"session_id\":null,\"source\":null,\"type\":\"event\"}", + "risk_score": 77, + "type": [ + "access", + "connection", + "indicator" + ] + }, + "related": { + "ip": [ + "81.2.69.142", + "10.1.2.3" + ], + "user": [ + "a@b.c", + "50500", + "A b c" + ] + }, + "rule": { + "category": "Suspicious Sessions", + "id": "123", + "name": "Suspicious Session" + }, + "ecs": { + "version": "8.4.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "box_events.suspicious_sessions" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "5.10.104-linuxkit", + "codename": "focal", + "name": "Ubuntu", + "family": "debian", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": false, + "ip": [ + "172.30.0.7" + ], + "name": "docker-fleet-agent", + "mac": [ + "02:42:ac:1e:00:07" + ], + "architecture": "x86_64" + }, + "threat": { + "indicator": { + "confidence": "Medium", + "description": "IP 81.2.69.142Set shared link expiration file ABC/DEF/xyz.txt by ServiceName", + "geo": { + "city_name": "San Jose", + "country_iso_code": "US", + "location": { + "lat": "37.5555", + "lon": "-120.6789" + }, + "region_name": "California" + }, + "ip": "81.2.69.142", + "provider": "ServiceName", + "reference": "https://cloud.app.box.com/master/shield/alerts/500", + "type": "user-account" + } + }, + "user": { + "effective": { + "email": "a@b.c", + "id": "50500", + "name": "A b c" + } + } +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/docs/README.md b/packages/box_events/0.1.1/docs/README.md new file mode 100755 index 0000000000..522ce77386 --- /dev/null +++ b/packages/box_events/0.1.1/docs/README.md @@ -0,0 +1,176 @@ +# Box Events Integration + +The Box Events integration allows you to monitor [Box](https://app.box.com/). Box is a secure cloud storage and collaboration service that allows businesses and individuals to easily share files. + +Use the Box Events integration to ingest the activity logs which are generated each time files are uploaded, accessed, or modified in Box, enabling you to monitor data movement to the cloud. If you have [opted-in to receive additional events](https://developer.box.com/guides/events/event-triggers/shield-alert-events/), the Box Events integration will ingest context-rich alerts on potential threats, such as compromised accounts and data theft, based on anomalous user behavior. Combining this data with other events can lead to the detection of data exfiltration attacks. + +Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference `box_events.events` when troubleshooting an issue. + +For example, if you wanted to set up notifications for incoming Box Shield alerts you could verify that this data is being ingested from the `Box Shield Alerts` Dashboard. Then, go to `Alerts and Insights / Rules and Connectors` in the sidebar and set up a Rule using an Elasticsearch Query against index `*box*alert*` with time field `@timestamp` and DSL + +``` +{ + "query":{ + "match" : { + "event.kind": "alert" + } + } +} +``` + +to match incoming box alerts during your desired timeframe and notify you using your preferred connector. + +## Compatibility + +The Box Web Application does not feature version numbers, see this [Community Post](https://support.box.com/hc/en-us/community/posts/1500000033881/comments/1500000038001). This integration was configured and tested against Box in the second quarter of 2022. + +### Box Events + +The Box events API enables subscribing to live events across the enterprise or for a particular user, or querying historical events across the enterprise. + +The API Returns up to a year of past events for a given user or for the entire enterprise. + +By default this returns events for the authenticated user. + +#### Elastic Integration for Box Events Settings + +To retrieve events for the entire enterprise, set the `stream_type` in the Elastic Integration Settings page to `admin_logs_streaming` for live monitoring of new events, or `admin_logs` for querying across historical events. + +Events will be returned in batches of up to 100, with successive calls on expiry of the configured `interval` so you may wish to specify a lower interval when a substantial number of events are expected. + +#### Target Repository Authentication Settings + +The Elastic Integration for Box Events connects using OAuth 2.0 to interact with a Box Custom App. To configure a Box Custom App see [Setup with OAuth 2.0](https://developer.box.com/guides/authentication/oauth2/oauth2-setup/). + +Your app will need: + +- A Custom Application using Server Authentication (with Client Credentials Grant) authentication in the Box Developer Console +- [2FA](https://support.box.com/hc/en-us/articles/360043697154-Two-Factor-Authentication-Set-Up-for-Your-Account) enabled on your Box account for viewing and copying the application's client secret from the configuration tab +- The application is [authorized](https://developer.box.com/guides/authorization/custom-app-approval/) in the Box Admin Console + +#### Target Repository User Privileges + +To access the `events` endpoint, the user making the API call will need to have `admin` privileges, and the application will need to have the scope `manage enterprise properties` checked. Changes to these settings may require you to repeat the `Custom App Approval` authorisation. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| box.created_at | When the event object was created | date | +| box.created_by.id | The unique identifier for the connection user | keyword | +| box.created_by.login | The primary email address of the connection user. Maps from \*\*.login | | +| box.created_by.name | The display name of the connection user. Maps from \*\*.name | keyword | +| box.created_by.type | E.g. `user` | | +| box.recorded_at | The date and time at which this event occurred | date | +| box.session.id | The session of the user that performed the action. Not all events will populate this attribute | keyword | +| box.source.created_at | The date and time at which this folder was originally created | date | +| box.source.created_by | The user who created this folder | object | +| box.source.created_by.id | The unique identifier for this user | keyword | +| box.source.created_by.login | The primary email address of this user. Maps from \*\*.login | keyword | +| box.source.created_by.name | The display name of this user. Maps from \*\*.name | keyword | +| box.source.created_by.type | Value is always `user` | keyword | +| box.source.description | The optional description of this folder | text | +| box.source.etag | The HTTP etag of this folder | keyword | +| box.source.file_version | The information about the current version of the file | object | +| box.source.file_version.id | The unique identifier that represent a file version | keyword | +| box.source.file_version.type | Value is always `file_version` | keyword | +| box.source.id | The unique identifier that represent a folder | keyword | +| box.source.item_status | Defines if this item has been deleted or not. active when the item has is not in the trash trashed when the item has been moved to the trash but not deleted deleted when the item has been permanently deleted. Value is one of `active`, `trashed`, `deleted` | keyword | +| box.source.modified_at | The date and time at which this folder was last updated | date | +| box.source.modified_by | The user who last modified this folder | object | +| box.source.modified_by.id | The unique identifier for this user | keyword | +| box.source.modified_by.login | The primary email address of this user. Maps from \*\*.login | keyword | +| box.source.modified_by.name | The display name of this user. Maps from \*\*.name | keyword | +| box.source.modified_by.type | Value is always `user` | keyword | +| box.source.owned_by | The user who owns this folder | keyword | +| box.source.owned_by.id | The unique identifier for this user | keyword | +| box.source.owned_by.login | The primary email address of this user. Maps from \*\*.login | keyword | +| box.source.owned_by.name | The display name of this user. Maps from \*\*.name | keyword | +| box.source.owned_by.type | Value is always `user` | keyword | +| box.source.parent | The optional folder that this folder is located within. This value may be null for some folders such as the root folder or the trash folder | object | +| box.source.parent.etag | The HTTP etag of this folder | keyword | +| box.source.parent.id | The unique identifier that represent a folder | keyword | +| box.source.parent.name | The name of the folder | keyword | +| box.source.parent.sequence_id | A numeric identifier that represents the most recent user event that has been applied to this item (parent) | keyword | +| box.source.parent.type | Value is always `folder` | keyword | +| box.source.path_collection | The tree of folders that this folder is contained in, starting at the root | object | +| box.source.path_collection.entries | The parent folders for this item | object | +| box.source.path_collection.entries.id | The unique identifier that represent a folder. This field is an array | array | +| box.source.path_collection.entries.name | The name of the folder. This field is an array | array | +| box.source.path_collection.entries.type | Value is always `folder`. This field is an array | array | +| box.source.path_collection.total_count | The number of folders in this list | long | +| box.source.purged_at | The time at which this file is expected to be purged from the trash | boolean | +| box.source.sequence_id | A numeric identifier that represents the most recent user event that has been applied to this item | keyword | +| box.source.sha1 | SHA1 hash of the item concerned | keyword | +| box.source.synced | Legacy property for compatibility with Box Desktop | boolean | +| box.source.trashed_at | The time at which this file was put in the trash | boolean | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.user.email | User email address. | keyword | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.created | File creation time. Note that not all filesystems store the creation time. | date | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | long | +| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | long | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | +| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | +| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | +| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | + diff --git a/packages/box_events/0.1.1/img/box.svg b/packages/box_events/0.1.1/img/box.svg new file mode 100755 index 0000000000..b1b542eadd --- /dev/null +++ b/packages/box_events/0.1.1/img/box.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/box_events/0.1.1/img/box_screenshot.png b/packages/box_events/0.1.1/img/box_screenshot.png new file mode 100755 index 0000000000..2c2ffd315b Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_actions.png b/packages/box_events/0.1.1/img/box_screenshot_actions.png new file mode 100755 index 0000000000..cad6254e9d Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_actions.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_download.png b/packages/box_events/0.1.1/img/box_screenshot_download.png new file mode 100755 index 0000000000..47d6eedd22 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_download.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_ecs_event_classification.png b/packages/box_events/0.1.1/img/box_screenshot_ecs_event_classification.png new file mode 100755 index 0000000000..d8b989cc61 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_ecs_event_classification.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_failed_logins.png b/packages/box_events/0.1.1/img/box_screenshot_failed_logins.png new file mode 100755 index 0000000000..d4603ea3f8 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_failed_logins.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_histogram.png b/packages/box_events/0.1.1/img/box_screenshot_histogram.png new file mode 100755 index 0000000000..47fe3ebc44 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_histogram.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_name.png b/packages/box_events/0.1.1/img/box_screenshot_name.png new file mode 100755 index 0000000000..d83a3a562b Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_name.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts.png new file mode 100755 index 0000000000..1b5731af1d Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_anomalous_downloads.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_anomalous_downloads.png new file mode 100755 index 0000000000..ae660dd69f Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_anomalous_downloads.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_malware.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_malware.png new file mode 100755 index 0000000000..6e748fbd94 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_malware.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_suspicious_locations.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_suspicious_locations.png new file mode 100755 index 0000000000..55b7ca11a2 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_suspicious_locations.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_suspicious_sessions.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_suspicious_sessions.png new file mode 100755 index 0000000000..eb57fab242 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_suspicious_sessions.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_threat_histogram.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_threat_histogram.png new file mode 100755 index 0000000000..90719caa1d Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_threat_histogram.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_threat_locations.png b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_threat_locations.png new file mode 100755 index 0000000000..9768527b7f Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_alerts_threat_locations.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_ecs_event_classification.png b/packages/box_events/0.1.1/img/box_screenshot_shield_ecs_event_classification.png new file mode 100755 index 0000000000..86f47fbef7 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_ecs_event_classification.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_shield_top_threats.png b/packages/box_events/0.1.1/img/box_screenshot_shield_top_threats.png new file mode 100755 index 0000000000..686393dfde Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_shield_top_threats.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_size.png b/packages/box_events/0.1.1/img/box_screenshot_size.png new file mode 100755 index 0000000000..d0e73ca7d3 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_size.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_trash.png b/packages/box_events/0.1.1/img/box_screenshot_trash.png new file mode 100755 index 0000000000..7c6e476399 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_trash.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_type.png b/packages/box_events/0.1.1/img/box_screenshot_type.png new file mode 100755 index 0000000000..2a970b3a6e Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_type.png differ diff --git a/packages/box_events/0.1.1/img/box_screenshot_upload.png b/packages/box_events/0.1.1/img/box_screenshot_upload.png new file mode 100755 index 0000000000..31ba945053 Binary files /dev/null and b/packages/box_events/0.1.1/img/box_screenshot_upload.png differ diff --git a/packages/box_events/0.1.1/kibana/dashboard/box_events-ce6fbf50-2df9-11ed-8003-6d5721603181.json b/packages/box_events/0.1.1/kibana/dashboard/box_events-ce6fbf50-2df9-11ed-8003-6d5721603181.json new file mode 100755 index 0000000000..5c773a05f8 --- /dev/null +++ b/packages/box_events/0.1.1/kibana/dashboard/box_events-ce6fbf50-2df9-11ed-8003-6d5721603181.json @@ -0,0 +1,172 @@ +{ + "attributes": { + "description": "Box User and Enterprise Events", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b061a92-bcd1-4df9-b210-bbebce62a639\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b061a92-bcd1-4df9-b210-bbebce62a639\":{\"columnOrder\":[\"f22ef1b3-097d-467a-acff-456da3a18e2a\",\"95685053-99dc-4056-9d1d-e36c95a78a70\",\"1a0a5ad3-193d-4cd9-bf18-076089d286e5\"],\"columns\":{\"1a0a5ad3-193d-4cd9-bf18-076089d286e5\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"95685053-99dc-4056-9d1d-e36c95a78a70\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"f22ef1b3-097d-467a-acff-456da3a18e2a\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1a0a5ad3-193d-4cd9-bf18-076089d286e5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"1a0a5ad3-193d-4cd9-bf18-076089d286e5\"],\"layerId\":\"3b061a92-bcd1-4df9-b210-bbebce62a639\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"f22ef1b3-097d-467a-acff-456da3a18e2a\",\"xAccessor\":\"95685053-99dc-4056-9d1d-e36c95a78a70\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"41637b45-1aee-419c-9a66-66dac989936b\",\"w\":34,\"x\":0,\"y\":0},\"panelIndex\":\"41637b45-1aee-419c-9a66-66dac989936b\",\"title\":\"Box Events over Time by Event Type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c47b410-f1a2-4e27-bb0b-ce18840d61c4\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c47b410-f1a2-4e27-bb0b-ce18840d61c4\":{\"columnOrder\":[\"12a34af7-4ff9-443d-946e-633786c4eb6f\",\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\"],\"columns\":{\"12a34af7-4ff9-443d-946e-633786c4eb6f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"12a34af7-4ff9-443d-946e-633786c4eb6f\"],\"layerId\":\"9c47b410-f1a2-4e27-bb0b-ce18840d61c4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"561a7dd7-afcc-452b-b775-23e9908575be\",\"w\":14,\"x\":34,\"y\":0},\"panelIndex\":\"561a7dd7-afcc-452b-b775-23e9908575be\",\"title\":\"All Box Events by Event Type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-76176cf6-6243-4794-b734-ab88d8eba2c2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"76176cf6-6243-4794-b734-ab88d8eba2c2\":{\"columnOrder\":[\"4ce1c9c0-c6bb-4d19-b548-16eefc9429f9\",\"343be679-8a6a-4812-b4a5-8de74a5f64d5\",\"9331a0be-879b-496c-a93f-ccaf4590add8\",\"21dc604d-8aa8-4929-8b84-520e802cf4b7\"],\"columns\":{\"21dc604d-8aa8-4929-8b84-520e802cf4b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"343be679-8a6a-4812-b4a5-8de74a5f64d5\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21dc604d-8aa8-4929-8b84-520e802cf4b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"4ce1c9c0-c6bb-4d19-b548-16eefc9429f9\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21dc604d-8aa8-4929-8b84-520e802cf4b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"9331a0be-879b-496c-a93f-ccaf4590add8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"21dc604d-8aa8-4929-8b84-520e802cf4b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4ce1c9c0-c6bb-4d19-b548-16eefc9429f9\",\"343be679-8a6a-4812-b4a5-8de74a5f64d5\",\"9331a0be-879b-496c-a93f-ccaf4590add8\"],\"layerId\":\"76176cf6-6243-4794-b734-ab88d8eba2c2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"21dc604d-8aa8-4929-8b84-520e802cf4b7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d40210dc-f68c-4c62-b121-f3685c4830f7\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"d40210dc-f68c-4c62-b121-f3685c4830f7\",\"title\":\"Box Events by ECS Event Classification\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-801b34f4-7add-4473-b785-a405c0f08ae6\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"801b34f4-7add-4473-b785-a405c0f08ae6\":{\"columnOrder\":[\"bf11a747-b2cf-4229-9734-a678be0096bc\"],\"columns\":{\"bf11a747-b2cf-4229-9734-a678be0096bc\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of file.size\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"file.size\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"ITEM_UPLOAD\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"ITEM_UPLOAD\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"bf11a747-b2cf-4229-9734-a678be0096bc\",\"layerId\":\"801b34f4-7add-4473-b785-a405c0f08ae6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"bbf55188-d33e-4adf-9096-d1defcee00f8\",\"w\":10,\"x\":24,\"y\":15},\"panelIndex\":\"bbf55188-d33e-4adf-9096-d1defcee00f8\",\"title\":\"Total Upload Bytes\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c47b410-f1a2-4e27-bb0b-ce18840d61c4\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c47b410-f1a2-4e27-bb0b-ce18840d61c4\":{\"columnOrder\":[\"6e612734-092f-4a32-a2b3-2e6d767da142\",\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\"],\"columns\":{\"6e612734-092f-4a32-a2b3-2e6d767da142\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of file.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"file.name\"},\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6e612734-092f-4a32-a2b3-2e6d767da142\"],\"layerId\":\"9c47b410-f1a2-4e27-bb0b-ce18840d61c4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a3240a4f-96d7-4ab7-aa44-2b35125abe85\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a312691f-156e-4aa7-8aa0-836484d914d1\",\"w\":14,\"x\":34,\"y\":15},\"panelIndex\":\"a312691f-156e-4aa7-8aa0-836484d914d1\",\"title\":\"All Box Events by File Name\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-801b34f4-7add-4473-b785-a405c0f08ae6\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"801b34f4-7add-4473-b785-a405c0f08ae6\":{\"columnOrder\":[\"bf11a747-b2cf-4229-9734-a678be0096bc\"],\"columns\":{\"bf11a747-b2cf-4229-9734-a678be0096bc\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of file.size\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"file.size\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"ITEM_DOWNLOAD\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"ITEM_DOWNLOAD\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"bf11a747-b2cf-4229-9734-a678be0096bc\",\"layerId\":\"801b34f4-7add-4473-b785-a405c0f08ae6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"3379ea10-7e15-4a7b-9603-674406e0b80c\",\"w\":10,\"x\":24,\"y\":20},\"panelIndex\":\"3379ea10-7e15-4a7b-9603-674406e0b80c\",\"title\":\"Total Download Bytes\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-801b34f4-7add-4473-b785-a405c0f08ae6\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"801b34f4-7add-4473-b785-a405c0f08ae6\":{\"columnOrder\":[\"bf11a747-b2cf-4229-9734-a678be0096bc\"],\"columns\":{\"bf11a747-b2cf-4229-9734-a678be0096bc\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of file.size\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"file.size\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"ITEM_TRASH\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"ITEM_TRASH\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"bf11a747-b2cf-4229-9734-a678be0096bc\",\"layerId\":\"801b34f4-7add-4473-b785-a405c0f08ae6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"c699b8ce-e97e-4b91-9817-7baef1571774\",\"w\":10,\"x\":24,\"y\":25},\"panelIndex\":\"c699b8ce-e97e-4b91-9817-7baef1571774\",\"title\":\"Total Trash Bytes\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f9ef675c-a745-4a0a-aae9-ef624e5592a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f9ef675c-a745-4a0a-aae9-ef624e5592a8\":{\"columnOrder\":[\"20b83fec-1495-4d3d-9113-9e6828287bb8\",\"97620d35-cb1d-4dc7-b557-6b0992edac3c\"],\"columns\":{\"20b83fec-1495-4d3d-9113-9e6828287bb8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of box.created_by.login\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"97620d35-cb1d-4dc7-b557-6b0992edac3c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"box.created_by.login\"},\"97620d35-cb1d-4dc7-b557-6b0992edac3c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20b83fec-1495-4d3d-9113-9e6828287bb8\",\"isTransposed\":false},{\"columnId\":\"97620d35-cb1d-4dc7-b557-6b0992edac3c\",\"isTransposed\":false}],\"layerId\":\"f9ef675c-a745-4a0a-aae9-ef624e5592a8\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ae90077c-6251-496d-80cb-58b8c6f6c8a5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"ae90077c-6251-496d-80cb-58b8c6f6c8a5\",\"title\":\"Top 10 Users x Number of Events associated with the user\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f9ef675c-a745-4a0a-aae9-ef624e5592a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f9ef675c-a745-4a0a-aae9-ef624e5592a8\":{\"columnOrder\":[\"20b83fec-1495-4d3d-9113-9e6828287bb8\",\"97620d35-cb1d-4dc7-b557-6b0992edac3c\"],\"columns\":{\"20b83fec-1495-4d3d-9113-9e6828287bb8\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of box.created_by.login\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"97620d35-cb1d-4dc7-b557-6b0992edac3c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"box.created_by.login\"},\"97620d35-cb1d-4dc7-b557-6b0992edac3c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.events\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"FAILED_LOGIN\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"FAILED_LOGIN\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"20b83fec-1495-4d3d-9113-9e6828287bb8\",\"isTransposed\":false},{\"columnId\":\"97620d35-cb1d-4dc7-b557-6b0992edac3c\",\"isTransposed\":false}],\"layerId\":\"f9ef675c-a745-4a0a-aae9-ef624e5592a8\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"554f97ae-858d-4fd5-b0c7-5612ca96f957\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"554f97ae-858d-4fd5-b0c7-5612ca96f957\",\"title\":\"Top 10 Users x number of Failed Logins\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Box Events Integration] Events", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "box_events-ce6fbf50-2df9-11ed-8003-6d5721603181", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "41637b45-1aee-419c-9a66-66dac989936b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "41637b45-1aee-419c-9a66-66dac989936b:indexpattern-datasource-layer-3b061a92-bcd1-4df9-b210-bbebce62a639", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "41637b45-1aee-419c-9a66-66dac989936b:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "561a7dd7-afcc-452b-b775-23e9908575be:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "561a7dd7-afcc-452b-b775-23e9908575be:indexpattern-datasource-layer-9c47b410-f1a2-4e27-bb0b-ce18840d61c4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "561a7dd7-afcc-452b-b775-23e9908575be:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d40210dc-f68c-4c62-b121-f3685c4830f7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d40210dc-f68c-4c62-b121-f3685c4830f7:indexpattern-datasource-layer-76176cf6-6243-4794-b734-ab88d8eba2c2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bbf55188-d33e-4adf-9096-d1defcee00f8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bbf55188-d33e-4adf-9096-d1defcee00f8:indexpattern-datasource-layer-801b34f4-7add-4473-b785-a405c0f08ae6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bbf55188-d33e-4adf-9096-d1defcee00f8:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bbf55188-d33e-4adf-9096-d1defcee00f8:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a312691f-156e-4aa7-8aa0-836484d914d1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a312691f-156e-4aa7-8aa0-836484d914d1:indexpattern-datasource-layer-9c47b410-f1a2-4e27-bb0b-ce18840d61c4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a312691f-156e-4aa7-8aa0-836484d914d1:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3379ea10-7e15-4a7b-9603-674406e0b80c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3379ea10-7e15-4a7b-9603-674406e0b80c:indexpattern-datasource-layer-801b34f4-7add-4473-b785-a405c0f08ae6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3379ea10-7e15-4a7b-9603-674406e0b80c:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3379ea10-7e15-4a7b-9603-674406e0b80c:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c699b8ce-e97e-4b91-9817-7baef1571774:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c699b8ce-e97e-4b91-9817-7baef1571774:indexpattern-datasource-layer-801b34f4-7add-4473-b785-a405c0f08ae6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c699b8ce-e97e-4b91-9817-7baef1571774:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c699b8ce-e97e-4b91-9817-7baef1571774:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae90077c-6251-496d-80cb-58b8c6f6c8a5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae90077c-6251-496d-80cb-58b8c6f6c8a5:indexpattern-datasource-layer-f9ef675c-a745-4a0a-aae9-ef624e5592a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae90077c-6251-496d-80cb-58b8c6f6c8a5:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "554f97ae-858d-4fd5-b0c7-5612ca96f957:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "554f97ae-858d-4fd5-b0c7-5612ca96f957:indexpattern-datasource-layer-f9ef675c-a745-4a0a-aae9-ef624e5592a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "554f97ae-858d-4fd5-b0c7-5612ca96f957:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "554f97ae-858d-4fd5-b0c7-5612ca96f957:filter-index-pattern-1", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/kibana/dashboard/box_events-ff3d9940-2e03-11ed-8003-6d5721603181.json b/packages/box_events/0.1.1/kibana/dashboard/box_events-ff3d9940-2e03-11ed-8003-6d5721603181.json new file mode 100755 index 0000000000..9cecfe132a --- /dev/null +++ b/packages/box_events/0.1.1/kibana/dashboard/box_events-ff3d9940-2e03-11ed-8003-6d5721603181.json @@ -0,0 +1,202 @@ +{ + "attributes": { + "description": "Alerts generated by Box Shield with appropriate Box License", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"c865b852-60b2-4d16-b356-b1966fb34bd7\",\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\",\"c11ccfe1-69a9-43e3-9a25-349fd58b909e\"],\"columns\":{\"c11ccfe1-69a9-43e3-9a25-349fd58b909e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c865b852-60b2-4d16-b356-b1966fb34bd7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c11ccfe1-69a9-43e3-9a25-349fd58b909e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"box_events.anomalous_download_alerts\",\"box_events.suspicious_locations\",\"box_events.suspicious_sessions\",\"box_events.malicious_content_alerts\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"box_events.anomalous_download_alerts\"}},{\"match_phrase\":{\"data_stream.dataset\":\"box_events.suspicious_locations\"}},{\"match_phrase\":{\"data_stream.dataset\":\"box_events.suspicious_sessions\"}},{\"match_phrase\":{\"data_stream.dataset\":\"box_events.malicious_content_alerts\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c11ccfe1-69a9-43e3-9a25-349fd58b909e\"],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"c865b852-60b2-4d16-b356-b1966fb34bd7\",\"xAccessor\":\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"edbbe9f0-fe40-47b4-aa4a-8067bb51fb95\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"edbbe9f0-fe40-47b4-aa4a-8067bb51fb95\",\"title\":\"Threats over time by STIX type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"9b84ad63-e18b-4c0b-b40e-d1c0b6160e35\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"09351277-7f7b-4cda-91c0-90537fd6fcab\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"57bb3a3b-3d89-4eb1-9982-7cdbdcb4cc45\\\",\\\"label\\\":\\\"BOX SHIELD ALERTS\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[],\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset : \\\\\\\"box_events.anomalous_download_alerts\\\\\\\" OR data_stream.dataset : \\\\\\\"box_events.malicious_content_alerts\\\\\\\" OR data_stream.dataset : \\\\\\\"box_events.suspicious_locations\\\\\\\" OR data_stream.dataset : \\\\\\\"box_events.suspicious_sessions\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"}}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.69,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"2022-06-26T18:59:22.017Z\\\",\\\"to\\\":\\\"2022-07-22T07:40:46.690Z\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Threat Locations\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":false,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":90,\"minLat\":0,\"minLon\":-180},\"mapCenter\":{\"lat\":49.55871,\"lon\":-52.5311,\"zoom\":1.96},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"b19fd684-ab5c-4dc7-9680-6407f17959e5\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"b19fd684-ab5c-4dc7-9680-6407f17959e5\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-daefabbd-179b-4582-9dea-a9ff8e1d35de\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"daefabbd-179b-4582-9dea-a9ff8e1d35de\":{\"columnOrder\":[\"3a997fad-ab97-4ad7-a510-76efbc496986\",\"9b19362f-2684-4b48-b092-73dd6cd8c5ae\",\"df1128d2-aa6e-43f3-8844-760b12a7dcd7\",\"b780d335-780c-4ba1-ac7f-d1785707c7cb\"],\"columns\":{\"3a997fad-ab97-4ad7-a510-76efbc496986\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b780d335-780c-4ba1-ac7f-d1785707c7cb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"9b19362f-2684-4b48-b092-73dd6cd8c5ae\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b780d335-780c-4ba1-ac7f-d1785707c7cb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"b780d335-780c-4ba1-ac7f-d1785707c7cb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df1128d2-aa6e-43f3-8844-760b12a7dcd7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b780d335-780c-4ba1-ac7f-d1785707c7cb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3a997fad-ab97-4ad7-a510-76efbc496986\",\"9b19362f-2684-4b48-b092-73dd6cd8c5ae\",\"df1128d2-aa6e-43f3-8844-760b12a7dcd7\"],\"layerId\":\"daefabbd-179b-4582-9dea-a9ff8e1d35de\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b780d335-780c-4ba1-ac7f-d1785707c7cb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e01d8997-a0f6-424a-b0ba-cea5e49ec0b6\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"e01d8997-a0f6-424a-b0ba-cea5e49ec0b6\",\"title\":\"Box Shield Alerts By ECS Threat Classification\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8a260e0f-39a2-468a-b03f-4dac60f39c20\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8a260e0f-39a2-468a-b03f-4dac60f39c20\":{\"columnOrder\":[\"11a38a01-32db-453b-9ac2-3d704734e1c3\",\"8275f89e-9783-4384-8355-fb6ef2158be4\"],\"columns\":{\"11a38a01-32db-453b-9ac2-3d704734e1c3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8275f89e-9783-4384-8355-fb6ef2158be4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"},\"8275f89e-9783-4384-8355-fb6ef2158be4\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"11a38a01-32db-453b-9ac2-3d704734e1c3\",\"isTransposed\":false,\"width\":802},{\"columnId\":\"8275f89e-9783-4384-8355-fb6ef2158be4\",\"isTransposed\":false}],\"layerId\":\"8a260e0f-39a2-468a-b03f-4dac60f39c20\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"eb45035b-ee80-4bfd-89c3-8ccc9e3aa8cf\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"eb45035b-ee80-4bfd-89c3-8ccc9e3aa8cf\",\"title\":\"Top Threats\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"c865b852-60b2-4d16-b356-b1966fb34bd7\",\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\",\"f9524357-c549-4c0c-afeb-cf40a287a74a\"],\"columns\":{\"c865b852-60b2-4d16-b356-b1966fb34bd7\":{\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.ip\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f9524357-c549-4c0c-afeb-cf40a287a74a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.ip\"},\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"f9524357-c549-4c0c-afeb-cf40a287a74a\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of box.additional_details.shield_alert.alert_summary.download_delta_percent\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"box.additional_details.shield_alert.alert_summary.download_delta_percent\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.anomalous_download_alerts\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.anomalous_download_alerts\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"f9524357-c549-4c0c-afeb-cf40a287a74a\"],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"c865b852-60b2-4d16-b356-b1966fb34bd7\",\"xAccessor\":\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c3534520-ed7f-4989-8ca5-04255b81b6ae\",\"w\":14,\"x\":0,\"y\":30},\"panelIndex\":\"c3534520-ed7f-4989-8ca5-04255b81b6ae\",\"title\":\"Anomalous Download Delta Percent over time by IP\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"9b84ad63-e18b-4c0b-b40e-d1c0b6160e35\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"09351277-7f7b-4cda-91c0-90537fd6fcab\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"57bb3a3b-3d89-4eb1-9982-7cdbdcb4cc45\\\",\\\"label\\\":\\\"BOX SHIELD ALERTS\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[],\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset : \\\\\\\"box_events.anomalous_download_alerts\\\\\\\"\\\",\\\"language\\\":\\\"kuery\\\"}}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.96,\\\"center\\\":{\\\"lon\\\":-52.5311,\\\"lat\\\":49.55871},\\\"timeFilters\\\":{\\\"from\\\":\\\"2022-06-26T18:59:22.017Z\\\",\\\"to\\\":\\\"2022-07-22T07:40:46.690Z\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"Threat Locations\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":61.6064,\"maxLon\":33.75,\"minLat\":48.9225,\"minLon\":-11.25},\"mapCenter\":{\"lat\":55.17998,\"lon\":7.7618,\"zoom\":4.1},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"d50c91d5-37d4-44b0-a775-995b26c18eb9\",\"w\":21,\"x\":14,\"y\":30},\"panelIndex\":\"d50c91d5-37d4-44b0-a775-995b26c18eb9\",\"title\":\"Anomalous Download Locations Target IP\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"82b63630-768d-434d-81fd-0834271bfea6\",\"b7b02161-38d6-4317-b17f-6909db21ffe2\"],\"columns\":{\"82b63630-768d-434d-81fd-0834271bfea6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"b7b02161-38d6-4317-b17f-6909db21ffe2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"baba854b-fcfa-4fcf-b499-7e759be43d17\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.malicious_content_alerts\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.malicious_content_alerts\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"isTransposed\":false,\"width\":608},{\"columnId\":\"82b63630-768d-434d-81fd-0834271bfea6\",\"isTransposed\":false},{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"isTransposed\":false}],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c479176c-d1d0-401e-ac88-cd7eff9c6f83\",\"w\":13,\"x\":35,\"y\":45},\"panelIndex\":\"c479176c-d1d0-401e-ac88-cd7eff9c6f83\",\"title\":\"Top Malware Indicator Descriptions\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"d9b4be5e-b623-4d51-b0cd-49830dd135c7\",\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\",\"1765ec8c-842a-4d18-9667-4d5bf6864c12\"],\"columns\":{\"1765ec8c-842a-4d18-9667-4d5bf6864c12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of @timestamp\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"@timestamp\"},\"d9b4be5e-b623-4d51-b0cd-49830dd135c7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of box.additional_details.shield_alert.malware_info.malware_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1765ec8c-842a-4d18-9667-4d5bf6864c12\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"box.additional_details.shield_alert.malware_info.malware_name\"},\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.malicious_content_alerts\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.malicious_content_alerts\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"1765ec8c-842a-4d18-9667-4d5bf6864c12\"],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d9b4be5e-b623-4d51-b0cd-49830dd135c7\",\"xAccessor\":\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3ddcfc57-8157-43ad-822a-376a390b95eb\",\"w\":14,\"x\":0,\"y\":45},\"panelIndex\":\"3ddcfc57-8157-43ad-822a-376a390b95eb\",\"title\":\"Malware over time by Malware Name\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"9b84ad63-e18b-4c0b-b40e-d1c0b6160e35\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"09351277-7f7b-4cda-91c0-90537fd6fcab\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"57bb3a3b-3d89-4eb1-9982-7cdbdcb4cc45\\\",\\\"label\\\":\\\"BOX SHIELD ALERTS\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[],\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset : \\\\\\\"box_events.malicious_content_alerts\\\\\\\"\\\",\\\"language\\\":\\\"kuery\\\"}}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.96,\\\"center\\\":{\\\"lon\\\":-52.5311,\\\"lat\\\":49.55871},\\\"timeFilters\\\":{\\\"from\\\":\\\"2022-06-26T18:59:22.017Z\\\",\\\"to\\\":\\\"2022-07-22T07:40:46.690Z\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"Threat Locations\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":38.82259,\"maxLon\":-118.125,\"minLat\":36.59789,\"minLon\":-123.75},\"mapCenter\":{\"lat\":37.5555,\"lon\":-120.6789,\"zoom\":7.02},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"0ba381d1-a56e-4ae2-81e4-d287581e11f0\",\"w\":21,\"x\":14,\"y\":45},\"panelIndex\":\"0ba381d1-a56e-4ae2-81e4-d287581e11f0\",\"title\":\"Malware Locations Source IP\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"82b63630-768d-434d-81fd-0834271bfea6\",\"b7b02161-38d6-4317-b17f-6909db21ffe2\"],\"columns\":{\"82b63630-768d-434d-81fd-0834271bfea6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"b7b02161-38d6-4317-b17f-6909db21ffe2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"baba854b-fcfa-4fcf-b499-7e759be43d17\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.anomalous_download_alerts\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.anomalous_download_alerts\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"isTransposed\":false,\"width\":608},{\"columnId\":\"82b63630-768d-434d-81fd-0834271bfea6\",\"isTransposed\":false},{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"isTransposed\":false}],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"67c15713-00be-4e33-aa2c-7f9077d87ca5\",\"w\":13,\"x\":35,\"y\":30},\"panelIndex\":\"67c15713-00be-4e33-aa2c-7f9077d87ca5\",\"title\":\"Top Anomalous Download Indicator Descriptions\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"15d9edb1-1fe1-436a-a2cc-de41737db94c\",\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\",\"1765ec8c-842a-4d18-9667-4d5bf6864c12\"],\"columns\":{\"15d9edb1-1fe1-436a-a2cc-de41737db94c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of box.additional_details.shield_alert.alert_summary.alert_activities.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1765ec8c-842a-4d18-9667-4d5bf6864c12\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"box.additional_details.shield_alert.alert_summary.alert_activities.event_type\"},\"1765ec8c-842a-4d18-9667-4d5bf6864c12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of @timestamp\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"@timestamp\"},\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.suspicious_locations\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.suspicious_locations\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"1765ec8c-842a-4d18-9667-4d5bf6864c12\"],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"15d9edb1-1fe1-436a-a2cc-de41737db94c\",\"xAccessor\":\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7347e441-012b-4aab-9795-33eb2f8e9447\",\"w\":14,\"x\":0,\"y\":60},\"panelIndex\":\"7347e441-012b-4aab-9795-33eb2f8e9447\",\"title\":\"Suspicious Locations over time by Box Event Type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"9b84ad63-e18b-4c0b-b40e-d1c0b6160e35\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"09351277-7f7b-4cda-91c0-90537fd6fcab\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"57bb3a3b-3d89-4eb1-9982-7cdbdcb4cc45\\\",\\\"label\\\":\\\"BOX SHIELD ALERTS\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[],\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset : \\\\\\\"box_events.suspicious_locations\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"}}]\",\"mapStateJSON\":\"{\\\"zoom\\\":7.02,\\\"center\\\":{\\\"lon\\\":-120.6789,\\\"lat\\\":37.5555},\\\"timeFilters\\\":{\\\"from\\\":\\\"2022-06-26T18:59:22.017Z\\\",\\\"to\\\":\\\"2022-07-22T07:40:46.690Z\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"Threat Locations\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":38.82259,\"maxLon\":-118.125,\"minLat\":36.59789,\"minLon\":-123.75},\"mapCenter\":{\"lat\":37.5555,\"lon\":-120.6789,\"zoom\":7.02},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"65d1c96f-92ff-4e91-b0a9-9bf4885b83db\",\"w\":21,\"x\":14,\"y\":60},\"panelIndex\":\"65d1c96f-92ff-4e91-b0a9-9bf4885b83db\",\"title\":\"Suspicious Locations IP Location\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"82b63630-768d-434d-81fd-0834271bfea6\",\"b7b02161-38d6-4317-b17f-6909db21ffe2\"],\"columns\":{\"82b63630-768d-434d-81fd-0834271bfea6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"b7b02161-38d6-4317-b17f-6909db21ffe2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"baba854b-fcfa-4fcf-b499-7e759be43d17\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.suspicious_locations\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.suspicious_locations\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"isTransposed\":false,\"width\":608},{\"columnId\":\"82b63630-768d-434d-81fd-0834271bfea6\",\"isTransposed\":false},{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"isTransposed\":false}],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"748d7b63-9430-49f1-9192-e091986feefc\",\"w\":13,\"x\":35,\"y\":60},\"panelIndex\":\"748d7b63-9430-49f1-9192-e091986feefc\",\"title\":\"Suspicious Locations Alert Descriptions\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"73acbfb0-2874-4d0f-bfe0-2a664646197b\",\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\",\"1765ec8c-842a-4d18-9667-4d5bf6864c12\"],\"columns\":{\"1765ec8c-842a-4d18-9667-4d5bf6864c12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of @timestamp\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"@timestamp\"},\"73acbfb0-2874-4d0f-bfe0-2a664646197b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of box.additional_details.shield_alert.alert_summary.sessions.activities.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1765ec8c-842a-4d18-9667-4d5bf6864c12\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"box.additional_details.shield_alert.alert_summary.sessions.activities.event_type\"},\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.suspicious_sessions\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.suspicious_sessions\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"1765ec8c-842a-4d18-9667-4d5bf6864c12\"],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"73acbfb0-2874-4d0f-bfe0-2a664646197b\",\"xAccessor\":\"f7828a09-1e04-458e-8a91-ccd7f10ab1ad\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"55fd3ed2-81a9-4418-abbe-4301efc066fb\",\"w\":14,\"x\":0,\"y\":75},\"panelIndex\":\"55fd3ed2-81a9-4418-abbe-4301efc066fb\",\"title\":\"Suspicious Sessions over time by Box Event Type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"9b84ad63-e18b-4c0b-b40e-d1c0b6160e35\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"geoField\\\":\\\"threat.indicator.geo.location\\\",\\\"filterByMapBounds\\\":true,\\\"scalingType\\\":\\\"CLUSTERS\\\",\\\"id\\\":\\\"09351277-7f7b-4cda-91c0-90537fd6fcab\\\",\\\"type\\\":\\\"ES_SEARCH\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"tooltipProperties\\\":[],\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"topHitsSplitField\\\":\\\"\\\",\\\"topHitsSize\\\":1},\\\"id\\\":\\\"57bb3a3b-3d89-4eb1-9982-7cdbdcb4cc45\\\",\\\"label\\\":\\\"BOX SHIELD ALERTS\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":1}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"BLENDED_VECTOR\\\",\\\"joins\\\":[],\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset :\\\\\\\"box_events.suspicious_sessions\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"}}]\",\"mapStateJSON\":\"{\\\"zoom\\\":7.02,\\\"center\\\":{\\\"lon\\\":-120.6789,\\\"lat\\\":37.5555},\\\"timeFilters\\\":{\\\"from\\\":\\\"2022-06-26T18:59:22.017Z\\\",\\\"to\\\":\\\"2022-07-22T07:40:46.690Z\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"Threat Locations\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":0,\"minLat\":0,\"minLon\":-135},\"mapCenter\":{\"lat\":37.5555,\"lon\":-70.6789,\"zoom\":2.21},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"aa321506-5bb5-4458-acb1-797629d3e789\",\"w\":21,\"x\":14,\"y\":75},\"panelIndex\":\"aa321506-5bb5-4458-acb1-797629d3e789\",\"title\":\"Suspicious Sessions IP Location\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"566c210c-4661-4558-b93f-47ae73b8d4b9\":{\"columnOrder\":[\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"82b63630-768d-434d-81fd-0834271bfea6\",\"b7b02161-38d6-4317-b17f-6909db21ffe2\"],\"columns\":{\"82b63630-768d-434d-81fd-0834271bfea6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"b7b02161-38d6-4317-b17f-6909db21ffe2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"baba854b-fcfa-4fcf-b499-7e759be43d17\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.description\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"box_events.suspicious_sessions\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"box_events.suspicious_sessions\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"baba854b-fcfa-4fcf-b499-7e759be43d17\",\"isTransposed\":false,\"width\":608},{\"columnId\":\"82b63630-768d-434d-81fd-0834271bfea6\",\"isTransposed\":false},{\"columnId\":\"b7b02161-38d6-4317-b17f-6909db21ffe2\",\"isTransposed\":false}],\"layerId\":\"566c210c-4661-4558-b93f-47ae73b8d4b9\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"adfc862f-f9e5-4adf-9fee-59c267bc8ec3\",\"w\":13,\"x\":35,\"y\":75},\"panelIndex\":\"adfc862f-f9e5-4adf-9fee-59c267bc8ec3\",\"title\":\"Suspicious Sessions Alert Descriptions\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Box Events Integration] Box Shield Alerts", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "box_events-ff3d9940-2e03-11ed-8003-6d5721603181", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "edbbe9f0-fe40-47b4-aa4a-8067bb51fb95:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "edbbe9f0-fe40-47b4-aa4a-8067bb51fb95:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "edbbe9f0-fe40-47b4-aa4a-8067bb51fb95:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b19fd684-ab5c-4dc7-9680-6407f17959e5:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e01d8997-a0f6-424a-b0ba-cea5e49ec0b6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e01d8997-a0f6-424a-b0ba-cea5e49ec0b6:indexpattern-datasource-layer-daefabbd-179b-4582-9dea-a9ff8e1d35de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eb45035b-ee80-4bfd-89c3-8ccc9e3aa8cf:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eb45035b-ee80-4bfd-89c3-8ccc9e3aa8cf:indexpattern-datasource-layer-8a260e0f-39a2-468a-b03f-4dac60f39c20", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3534520-ed7f-4989-8ca5-04255b81b6ae:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3534520-ed7f-4989-8ca5-04255b81b6ae:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3534520-ed7f-4989-8ca5-04255b81b6ae:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d50c91d5-37d4-44b0-a775-995b26c18eb9:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c479176c-d1d0-401e-ac88-cd7eff9c6f83:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c479176c-d1d0-401e-ac88-cd7eff9c6f83:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c479176c-d1d0-401e-ac88-cd7eff9c6f83:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3ddcfc57-8157-43ad-822a-376a390b95eb:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3ddcfc57-8157-43ad-822a-376a390b95eb:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3ddcfc57-8157-43ad-822a-376a390b95eb:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0ba381d1-a56e-4ae2-81e4-d287581e11f0:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "67c15713-00be-4e33-aa2c-7f9077d87ca5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "67c15713-00be-4e33-aa2c-7f9077d87ca5:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "67c15713-00be-4e33-aa2c-7f9077d87ca5:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7347e441-012b-4aab-9795-33eb2f8e9447:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7347e441-012b-4aab-9795-33eb2f8e9447:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7347e441-012b-4aab-9795-33eb2f8e9447:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "65d1c96f-92ff-4e91-b0a9-9bf4885b83db:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "748d7b63-9430-49f1-9192-e091986feefc:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "748d7b63-9430-49f1-9192-e091986feefc:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "748d7b63-9430-49f1-9192-e091986feefc:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55fd3ed2-81a9-4418-abbe-4301efc066fb:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55fd3ed2-81a9-4418-abbe-4301efc066fb:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55fd3ed2-81a9-4418-abbe-4301efc066fb:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aa321506-5bb5-4458-acb1-797629d3e789:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "adfc862f-f9e5-4adf-9fee-59c267bc8ec3:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "adfc862f-f9e5-4adf-9fee-59c267bc8ec3:indexpattern-datasource-layer-566c210c-4661-4558-b93f-47ae73b8d4b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "adfc862f-f9e5-4adf-9fee-59c267bc8ec3:filter-index-pattern-0", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/box_events/0.1.1/manifest.yml b/packages/box_events/0.1.1/manifest.yml new file mode 100755 index 0000000000..9e6ee36b06 --- /dev/null +++ b/packages/box_events/0.1.1/manifest.yml @@ -0,0 +1,154 @@ +format_version: 1.0.0 +name: box_events +title: Box Events +version: 0.1.1 +release: beta +license: basic +description: "Collect logs from Box with Elastic Agent." +type: integration +categories: + - cloud + - datastore +conditions: + kibana.version: "^7.17.0 || ^8.3.0" +screenshots: + - src: /img/box_screenshot.png + title: "[Logs Box Events Integration] Events Dashboard" + size: 3036x1342 + type: image/png + - src: /img/box_screenshot_histogram.png + title: "Box Events over Time by Event Type" + size: 2201x752 + type: image/png + - src: /img/box_screenshot_type.png + title: "All Box Events by Event Type" + size: 828x842 + type: image/png + - src: /img/box_screenshot_ecs_event_classification.png + title: "Box Events by ECS Event Classification" + size: 1430x668 + type: image/png + - src: /img/box_screenshot_name.png + title: "All Box Events by File Name" + size: 826x830 + type: image/png + - src: /img/box_screenshot_upload.png + title: "Total Upload Bytes" + size: 440x240 + type: image/png + - src: /img/box_screenshot_download.png + title: "Total Download Bytes" + size: 428x243 + type: image/png + - src: /img/box_screenshot_trash.png + title: "Total Trash Bytes" + size: 428x249 + type: image/png + - src: /img/box_screenshot_actions.png + title: "Top 10 Users x Number of Events associated with the user" + size: 888x750 + type: image/png + - src: /img/box_screenshot_failed_logins.png + title: "Top 10 Users x number of Failed Logins" + size: 872x740 + type: image/png + - src: /img/box_screenshot_shield_alerts.png + title: "[Logs Box Events Integration] Box Shield Alerts Dashboard" + size: 3032x1352 + type: image/png + - src: /img/box_screenshot_shield_alerts_threat_histogram.png + title: "Box Shield Threat Histogram" + size: 1512x600 + type: image/png + - src: /img/box_screenshot_shield_alerts_threat_locations.png + title: "Box Shield Threat Locations" + size: 1528x597 + type: image/png + - src: /img/box_screenshot_shield_ecs_event_classification.png + title: "Box Shield Alerts By ECS Threat Classification" + size: 1505x671 + type: image/png + - src: /img/box_screenshot_shield_top_threats.png + title: "Top Threats" + size: 1436x670 + type: image/png + - src: /img/box_screenshot_shield_alerts_anomalous_downloads.png + title: "Box Shield Anomalous Downloads" + size: 3040x591 + type: image/png + - src: /img/box_screenshot_shield_alerts_malware.png + title: "Box Shield Malware" + size: 3038x598 + type: image/png + - src: /img/box_screenshot_shield_alerts_suspicious_locations.png + title: "Box Shield Suspicious Locations" + size: 3035x595 + type: image/png + - src: /img/box_screenshot_shield_alerts_suspicious_sessions.png + title: "Box Shield Suspicious Locations" + size: 3042x592 + type: image/png +icons: + - src: /img/box.svg + title: Box Blue Logo + size: 60x32 + type: image/svg+xml +policy_templates: + - name: box_events + title: Box Events + description: Collect Events from BOX + inputs: + - type: httpjson + title: "Collect BOX Events via API" + description: "Collecting events from BOX via API" + vars: + - name: client_id + type: password + title: CLIENT ID + description: >- + The Client ID of the application that is requesting to authenticate the user. To get the Client ID for your application, log in to your Box developer console and click My Apps, then select the application you're working with. Under the Configuration tab, scroll down to OAuth 2.0 Credentials to copy the Client ID. + multi: false + required: true + show_user: true + - name: client_secret + type: password + title: CLIENT SECRET + description: >- + The client secret of the application requesting an access token. To get the Client Secret for your application, log in to your Box developer console and click My Apps, then select the application you're working with. Under the Configuration tab, scroll down to OAuth 2.0 Credentials to locate the Client Secret. You may need to enable/use 2FA to retrieve this value. + multi: false + required: true + show_user: true + - name: api_url + type: text + title: API URL + description: URL to interact with the BOX api. + default: https://api.box.com + multi: false + required: true + show_user: false + - name: box_subject_id + type: password + title: Box Subject ID endpoint parameter + description: >- + The ID of the User Account that is leveraged to call the API. To get the Subject ID for your application, log in to your Box developer console and click My Apps, then select the application you're working with. Under the General Settings tab, scroll down to App Info to locate the User ID. + multi: false + required: true + show_user: true + - name: box_subject_type + type: text + title: Box Subject Type endpoint parameter + description: Subject Type for the user + default: user + multi: false + required: true + show_user: false + - name: grant_type + type: text + title: Grant Type + description: Grant Type endpoint parameter + default: client_credentials + multi: false + required: true + show_user: false +owner: + github: elastic/security-external-integrations diff --git a/packages/carbon_black_cloud/1.3.1/LICENSE.txt b/packages/carbon_black_cloud/1.3.1/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/carbon_black_cloud/1.3.1/changelog.yml b/packages/carbon_black_cloud/1.3.1/changelog.yml new file mode 100755 index 0000000000..94995104bd --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/changelog.yml @@ -0,0 +1,71 @@ +# newer versions go on top +- version: "1.3.1" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "1.3.0" + changes: + - description: Add Support of SQS input type. + type: enhancement + link: https://github.com/elastic/integrations/issues/4316 +- version: "1.2.2" + changes: + - description: Ensure stability of related.hash array ordering. + type: bugfix + link: https://github.com/elastic/integrations/issues/4296 +- version: "1.2.1" + changes: + - description: Remove unused visualizations + type: enhancement + link: https://github.com/elastic/integrations/issues/3975 +- version: "1.2.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3842 +- version: "1.1.1" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "1.1.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.0.3" + changes: + - description: Add correct field mapping for event.created + type: bugfix + link: https://github.com/elastic/integrations/issues/3579 +- version: "1.0.2" + changes: + - description: Fix dashboard issues. + type: bugfix + link: https://github.com/elastic/integrations/issues/3462 +- version: "1.0.1" + changes: + - description: Change event.outcome value from failure to failed according to ECS + type: bugfix + link: https://github.com/elastic/integrations/issues/3407 +- version: "1.0.0" + changes: + - description: Make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/3428 +- version: 0.1.2 + changes: + - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud". + type: enhancement + link: https://github.com/elastic/integrations/pull/3196 +- version: 0.1.1 + changes: + - description: Captured domain from username and hostname + type: enhancement + link: https://github.com/elastic/integrations/pull/3106 +- version: 0.1.0 + changes: + - description: Initial draft of the package. + type: enhancement + link: https://github.com/elastic/integrations/pull/2760 diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.3.1/data_stream/alert/agent/stream/aws-s3.yml.hbs new file mode 100755 index 0000000000..26c4d05045 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,82 @@ +{{#if collect_s3_logs}} + +{{#if bucket_arn}} +bucket_arn: {{bucket_arn}} +{{/if}} +{{#if number_of_workers}} +number_of_workers: {{number_of_workers}} +{{/if}} +{{#if interval}} +bucket_list_interval: {{interval}} +{{/if}} +{{#if bucket_list_prefix}} +bucket_list_prefix: {{bucket_list_prefix}} +{{/if}} + +{{else}} + +{{#if queue_url}} +queue_url: {{queue_url}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if max_number_of_messages}} +max_number_of_messages: {{max_number_of_messages}} +{{/if}} +{{#if file_selectors}} +file_selectors: +{{file_selectors}} +{{/if}} +{{/if}} + +expand_event_list_from_field: Records +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if proxy_url}} +proxy_url: {{proxy_url}} +{{/if}} +tags: +{{#if collect_s3_logs}} + - collect_s3_logs +{{else}} + - collect_sqs_logs +{{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.3.1/data_stream/alert/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..2f738b21a6 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,52 @@ +config_version: 2 +interval: {{interval}} +request.timeout: 2m +request.method: POST + +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} + +request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search +request.transforms: + - set: + target: header.X-Auth-Token + value: {{custom_api_secret_key}}/{{custom_api_id}} + - set: + target: body.criteria.last_update_time.start + value: '[[.cursor.last_update_timestamp]]' + default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]' + - set: + target: body.criteria.last_update_time.end + value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]' + - set: + target: body.sort + value: '[{ "field": "last_update_time", "order": "ASC"}]' + value_type: json +response.pagination: + - set: + target: body.criteria.last_update_time.start + value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_update_timestamp: + value: '[[.last_event.last_update_time]]' +response.split: + target: body.results +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..a302659e9e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,313 @@ +--- +description: Pipeline for parsing Carbon Black Cloud alerts. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.id + - json.create_time + - json.last_update_time + target_field: _id + ignore_missing: true + - date: + field: json.create_time + target_field: "@timestamp" + ignore_failure: true + formats: + - ISO8601 + - set: + field: event.kind + value: alert + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - rename: + field: json.first_event_time + target_field: event.start + ignore_missing: true + - rename: + field: json.last_event_time + target_field: event.end + ignore_missing: true + - rename: + field: json.severity + target_field: event.severity + ignore_missing: true + - urldecode: + field: json.alert_url + target_field: event.url + ignore_missing: true + - rename: + field: json.reason + target_field: event.reason + ignore_missing: true + - convert: + field: json.device_id + target_field: host.id + type: string + ignore_missing: true + - set: + field: host.os.type + value: windows + if: ctx?.json?.device_os == "WINDOWS" + - set: + field: host.os.type + value: linux + if: ctx?.json?.device_os == "LINUX" + - set: + field: host.os.type + value: macos + if: ctx?.json?.device_os == "MAC" + - set: + field: event.kind + value: alert + - rename: + field: json.device_os_version + target_field: host.os.version + ignore_missing: true + - rename: + field: json.device_name + target_field: host.hostname + ignore_missing: true + - grok: + field: host.hostname + patterns: + - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' + ignore_missing: true + ignore_failure: true + - set: + field: host.name + value: "{{{host.hostname}}}" + ignore_failure: true + - append: + field: host.ip + value: "{{{json.device_internal_ip}}}" + if: ctx?.json?.device_internal_ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: host.ip + value: "{{{json.device_external_ip}}}" + if: ctx?.json?.device_external_ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device_username + target_field: user.name + ignore_missing: true + - grok: + field: user.name + patterns: + - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' + ignore_missing: true + ignore_failure: true + - append: + field: related.ip + value: + - "{{{json.device_internal_ip}}}" + - "{{{json.device_external_ip}}}" + allow_duplicates: false + - append: + field: related.user + value: + - "{{{user.name}}}" + allow_duplicates: false + - append: + field: related.hosts + value: + - "{{{host.hostname}}}" + - "{{{user.domain}}}" + allow_duplicates: false + - append: + field: related.hash + value: + - "{{{json.threat_cause_actor_md5}}}" + - "{{{json.threat_cause_actor_sha256}}}" + allow_duplicates: false + - rename: + field: json.process_name + target_field: process.name + ignore_missing: true + - rename: + field: json.process_path + target_field: process.executable + ignore_missing: true + - rename: + field: json.process_guid + target_field: process.entity_id + ignore_missing: true + - rename: + field: json.vendor_name + target_field: carbon_black_cloud.alert.vendor_name + ignore_missing: true + - rename: + field: json.product_name + target_field: carbon_black_cloud.alert.product_name + ignore_missing: true + - rename: + field: json.serial_number + target_field: carbon_black_cloud.alert.serial_number + ignore_missing: true + - rename: + field: json.policy_id + target_field: carbon_black_cloud.alert.policy.id + ignore_missing: true + - rename: + field: json.policy_name + target_field: carbon_black_cloud.alert.policy.name + ignore_missing: true + - rename: + field: json.threat_id + target_field: carbon_black_cloud.alert.threat_id + ignore_missing: true + - rename: + field: json.policy_applied + target_field: carbon_black_cloud.alert.policy.applied + ignore_missing: true + - rename: + field: json.threat_activity_c2 + target_field: carbon_black_cloud.alert.threat_activity.c2 + ignore_missing: true + - rename: + field: json.threat_activity_dlp + target_field: carbon_black_cloud.alert.threat_activity.dlp + ignore_missing: true + - rename: + field: json.threat_activity_phish + target_field: carbon_black_cloud.alert.threat_activity.phish + ignore_missing: true + - rename: + field: json.threat_cause_actor_name + target_field: carbon_black_cloud.alert.threat_cause.actor.name + ignore_missing: true + - rename: + field: json.threat_cause_actor_process_pid + target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid + ignore_missing: true + - rename: + field: json.threat_cause_actor_sha256 + target_field: carbon_black_cloud.alert.threat_cause.actor.sha256 + ignore_missing: true + - rename: + field: json.threat_cause_actor_md5 + target_field: carbon_black_cloud.alert.threat_cause.actor.md5 + ignore_missing: true + - rename: + field: json.threat_cause_cause_event_id + target_field: carbon_black_cloud.alert.threat_cause.cause_event_id + ignore_missing: true + - rename: + field: json.threat_cause_parent_guid + target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid + ignore_missing: true + - rename: + field: json.threat_cause_process_guid + target_field: carbon_black_cloud.alert.threat_cause.process.guid + ignore_missing: true + - rename: + field: json.threat_cause_reputation + target_field: carbon_black_cloud.alert.threat_cause.reputation + ignore_missing: true + - rename: + field: json.threat_cause_threat_category + target_field: carbon_black_cloud.alert.threat_cause.threat_category + ignore_missing: true + - rename: + field: json.threat_cause_vector + target_field: carbon_black_cloud.alert.threat_cause.vector + ignore_missing: true + - rename: + field: json.ioc_field + target_field: carbon_black_cloud.alert.ioc.field + ignore_missing: true + - rename: + field: json.ioc_hit + target_field: carbon_black_cloud.alert.ioc.hit + ignore_missing: true + - rename: + field: json.ioc_id + target_field: carbon_black_cloud.alert.ioc.id + ignore_missing: true + - rename: + field: json.report_id + target_field: carbon_black_cloud.alert.report.id + ignore_missing: true + - rename: + field: json.report_name + target_field: carbon_black_cloud.alert.report.name + ignore_missing: true + - rename: + field: json.org_key + target_field: carbon_black_cloud.alert.organization_key + ignore_missing: true + - rename: + field: json.device_location + target_field: carbon_black_cloud.alert.device.location + ignore_missing: true + - rename: + field: json.device_os + target_field: carbon_black_cloud.alert.device.os + ignore_missing: true + - rename: + field: json.device_internal_ip + target_field: carbon_black_cloud.alert.device.internal_ip + ignore_missing: true + - rename: + field: json.device_external_ip + target_field: carbon_black_cloud.alert.device.external_ip + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - lowercase: + field: json.category + ignore_missing: true + - script: + description: Adds all the remaining fields in fields under carbon_black_cloud.alert + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); + } + - remove: + field: + - json + - carbon_black_cloud.alert.create_time + - carbon_black_cloud.alert.device_id + - carbon_black_cloud.alert.alert_url + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/agent.yml new file mode 100755 index 0000000000..bf2dfff675 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/agent.yml @@ -0,0 +1,171 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/base-fields.yml new file mode 100755 index 0000000000..14fb618ea4 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: carbon_black_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: carbon_black_cloud.alert diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/ecs.yml new file mode 100755 index 0000000000..7aa008a975 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/ecs.yml @@ -0,0 +1,135 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Use the `os.type` field to categorize the operating system into one of the broad commercial families. + If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + name: host.os.type + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/fields.yml new file mode 100755 index 0000000000..3eca3a1515 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/fields/fields.yml @@ -0,0 +1,218 @@ +- name: carbon_black_cloud.alert + type: group + fields: + - name: blocked_threat_category + type: keyword + description: The category of threat which we were able to take action on. + - name: category + type: keyword + description: The category of the alert. + - name: count + type: long + - name: created_by_event_id + type: keyword + description: Event identifier that initiated the alert. + - name: device + type: group + fields: + - name: location + type: keyword + description: The Location of device. + - name: os + type: keyword + description: OS of the device. + - name: internal_ip + type: ip + description: Internal IP of the device. + - name: external_ip + type: ip + description: External IP of the device. + - name: document_guid + type: keyword + description: Unique ID of document. + - name: ioc + type: group + fields: + - name: field + type: keyword + description: The field the indicator of comprise (IOC) hit contains. + - name: hit + type: keyword + description: IOC field value or IOC query that matches. + - name: id + type: keyword + description: The identifier of the IOC that cause the hit. + - name: kill_chain_status + type: keyword + description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. + - name: last_update_time + type: date + description: The last time the alert was updated as an ISO 8601 UTC timestamp. + - name: legacy_alert_id + type: keyword + description: The legacy identifier for the alert. + - name: not_blocked_threat_category + type: keyword + description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). + - name: notes_present + type: boolean + description: Indicates if notes are associated with the threat_id. + - name: organization_key + type: keyword + description: The unique identifier for the organization associated with the alert. + - name: policy + type: group + fields: + - name: applied + type: keyword + description: Whether a policy was applied. + - name: id + type: long + description: The identifier for the policy associated with the device at the time of the alert. + - name: name + type: keyword + description: The name of the policy associated with the device at the time of the alert. + - name: product_id + type: keyword + description: The hexadecimal id of the USB device's product. + - name: product_name + type: keyword + description: The name of the USB device’s vendor. + - name: reason_code + type: keyword + description: Shorthand enum for the full-text reason. + - name: report + type: group + fields: + - name: id + type: keyword + description: The identifier of the report that contains the IOC. + - name: name + type: keyword + description: The name of the report that contains the IOC. + - name: run_state + type: keyword + description: Whether the threat in the alert ran. + - name: sensor_action + type: keyword + description: The action taken by the sensor, according to the rule of the policy. + - name: serial_number + type: keyword + description: The serial number of the USB device. + - name: status + type: keyword + description: status of alert. + - name: tags + type: keyword + description: Tags associated with the alert. + - name: target_value + type: keyword + description: The priority of the device assigned by the policy. + - name: threat_activity + type: group + fields: + - name: c2 + type: keyword + description: Whether the alert involved a command and control (c2) server. + - name: dlp + type: keyword + description: Whether the alert involved data loss prevention (DLP). + - name: phish + type: keyword + description: Whether the alert involved phishing. + - name: threat_cause + type: group + fields: + - name: actor + type: group + fields: + - name: md5 + type: keyword + description: MD5 of the threat cause actor. + - name: name + type: keyword + description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.' + - name: process_pid + type: keyword + description: Process identifier (PID) of the actor process. + - name: sha256 + type: keyword + description: SHA256 of the threat cause actor. + - name: cause_event_id + type: keyword + description: ID of the Event that triggered the threat. + - name: process + type: group + fields: + - name: guid + type: keyword + description: The global unique identifier of the process. + - name: parent + type: group + fields: + - name: guid + type: keyword + description: The global unique identifier of the process. + - name: reputation + type: keyword + description: Reputation of the threat cause. + - name: threat_category + type: keyword + description: Category of the threat cause. + - name: vector + type: keyword + description: The source of the threat cause. + - name: threat_id + type: keyword + description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. + - name: threat_indicators + type: group + description: List of the threat indicators that make up the threat. + fields: + - name: process_name + type: keyword + description: Process name associated with threat. + - name: sha256 + type: keyword + description: Sha256 associated with threat. + - name: ttps + type: keyword + description: Tactics, techniques and procedures associated with threat. + - name: type + type: keyword + description: Type of alert. + - name: vendor_id + type: keyword + description: The hexadecimal id of the USB device's vendor. + - name: vendor_name + type: keyword + description: The name of the USB device’s vendor. + - name: watchlists + type: group + description: List of watchlists associated with an alert. + fields: + - name: id + type: keyword + description: The identifier of watchlist. + - name: name + type: keyword + description: The name of the watchlist. + - name: workflow + type: group + description: Tracking system for alerts as they are triaged and resolved. + fields: + - name: changed_by + type: keyword + description: The name of user who changed the workflow. + - name: comment + type: keyword + description: Comment associated with workflow. + - name: last_update_time + type: date + description: The last update time of workflow. + - name: remediation + type: keyword + description: N/A + - name: state + type: keyword + description: The state of workflow. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.3.1/data_stream/alert/manifest.yml new file mode 100755 index 0000000000..a5b71d8b23 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/manifest.yml @@ -0,0 +1,136 @@ +title: Alert +type: logs +streams: + - input: httpjson + title: Collect alerts from Carbon Black Cloud + description: Collect alerts from Carbon Black Cloud. + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch alerts from Carbon Black Cloud. + multi: false + required: true + show_user: true + default: 1m + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the alerts from the Carbon Black Cloud API. + default: 24h + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: aws-s3 + title: Collect alerts from Carbon Black Cloud + description: Collect alerts from Carbon Black Cloud. + template_path: aws-s3.yml.hbs + vars: + - name: bucket_list_prefix + type: text + title: '[S3] Bucket Prefix' + multi: false + required: false + show_user: true + default: alert_logs + description: Prefix to apply for the list request to the S3 bucket. + - name: interval + type: text + title: '[S3] Interval' + multi: false + required: false + show_user: true + default: 1m + description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. + - name: number_of_workers + type: integer + title: '[S3] Number of Workers' + multi: false + required: false + show_user: true + default: 5 + description: Number of workers that will process the S3 objects listed. + - name: visibility_timeout + type: text + title: '[SQS] Visibility Timeout' + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s. + - name: api_timeout + type: text + title: '[SQS] API Timeout' + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s. + - name: max_number_of_messages + type: integer + title: '[SQS] Maximum Concurrent SQS Messages' + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. + - name: file_selectors + type: yaml + title: '[SQS] File Selectors' + multi: false + required: false + show_user: false + default: | + - regex: 'alert_logs/' + description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.3.1/data_stream/alert/sample_event.json new file mode 100755 index 0000000000..7ecbfab721 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/alert/sample_event.json @@ -0,0 +1,113 @@ +{ + "@timestamp": "2020-11-17T22:05:13.000Z", + "agent": { + "ephemeral_id": "cc329655-90f8-4dc9-8014-e152f2b949da", + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "carbon_black_cloud": { + "alert": { + "category": "warning", + "device": { + "external_ip": "81.2.69.143", + "internal_ip": "81.2.69.144", + "location": "UNKNOWN", + "os": "WINDOWS" + }, + "last_update_time": "2020-11-17T22:05:13Z", + "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", + "organization_key": "ABCD6X3T", + "policy": { + "applied": "APPLIED", + "id": 6997287, + "name": "Standard" + }, + "product_id": "0x5406", + "product_name": "U3 Cruzer Micro", + "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", + "run_state": "DID_NOT_RUN", + "sensor_action": "DENY", + "serial_number": "0875920EF7C2A304", + "target_value": "MEDIUM", + "threat_cause": { + "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", + "threat_category": "NON_MALWARE", + "vector": "REMOVABLE_MEDIA" + }, + "threat_id": "t5678", + "type": "DEVICE_CONTROL", + "vendor_id": "0x0781", + "vendor_name": "SanDisk", + "workflow": { + "changed_by": "Carbon Black", + "last_update_time": "2020-11-17T22:02:16Z", + "state": "OPEN" + } + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-09-26T01:58:04.610Z", + "dataset": "carbon_black_cloud.alert", + "end": "2020-11-17T22:02:16Z", + "id": "test1", + "ingested": "2022-09-26T01:58:05Z", + "kind": "alert", + "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", + "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", + "severity": 3, + "start": "2020-11-17T22:02:16Z", + "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" + }, + "host": { + "hostname": "DESKTOP-002", + "id": "2", + "ip": [ + "81.2.69.144", + "81.2.69.143" + ], + "name": "DESKTOP-002", + "os": { + "type": "windows", + "version": "Windows 10 x64" + } + }, + "input": { + "type": "httpjson" + }, + "related": { + "hosts": [ + "DESKTOP-002" + ], + "ip": [ + "81.2.69.144", + "81.2.69.143" + ], + "user": [ + "test34@demo.com" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-alert" + ], + "user": { + "name": "test34@demo.com" + } +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..310b6e05d5 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs @@ -0,0 +1,45 @@ +config_version: 2 +interval: {{interval}} +request.method: POST +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search +request.transforms: + - set: + target: header.X-Auth-Token + value: {{custom_api_secret_key}}/{{custom_api_id}} + - set: + target: body.start + value: '0' + value_type: int + - set: + target: body.rows + value: '10000' + value_type: int +request.timeout: 2m +response.pagination: + - set: + target: body.start + value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]' + value_type: int + fail_on_template_error: true +response.split: + target: body.results +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..5ded16ebb3 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,132 @@ +--- +description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary. +processors: +- rename: + field: message + target_field: event.original + ignore_missing: true +- set: + field: ecs.version + value: '8.4.0' +- json: + field: event.original + target_field: json +- rename: + field: json.host_name + target_field: host.hostname + ignore_missing: true +- convert: + field: json.device_id + type: string + target_field: host.id + ignore_missing: true +- rename: + field: json.name + target_field: host.name + ignore_missing: true +- rename: + field: json.os_info.os_name + target_field: host.os.name + ignore_missing: true +- set: + field: host.os.type + value: windows + if: ctx?.json?.os_info.os_type == "WINDOWS" +- set: + field: host.os.type + value: ubuntu + if: ctx?.json?.os_info.os_type == "UBUNTU" +- set: + field: host.os.type + value: centos + if: ctx?.json?.os_info.os_type == "CENTOS" +- remove : + field: json.os_info.os_type + ignore_missing: true +- remove : + field: json.device_id + ignore_missing: true +- rename: + field: json.os_info.os_version + target_field: host.os.version + ignore_missing: true +- rename: + field: json.highest_risk_score + target_field: vulnerability.score.base + ignore_missing: true +- rename: + field: json.severity + target_field: vulnerability.severity + ignore_missing: true +- date: + field: json.last_sync_ts + formats: + - ISO8601 + target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp +- remove: + field: json.last_sync_ts + ignore_missing: true +- rename: + field: json.sync_status + target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status + ignore_missing: true +- rename: + field: json.sync_type + target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type + ignore_missing: true +- rename: + field: json.type + target_field: carbon_black_cloud.asset_vulnerability_summary.type + ignore_missing: true +- rename: + field: json.vm_id + target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id + ignore_missing: true +- rename: + field: json.vm_name + target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name + ignore_missing: true +- rename: + field: json.vuln_count + target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count + ignore_missing: true +- append: + field: related.hosts + value: "{{{host.hostname}}}" + allow_duplicates: false +- script: + description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue(); + } +- remove: + field: json + ignore_missing: true +- script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/agent.yml new file mode 100755 index 0000000000..c761dfb768 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/agent.yml @@ -0,0 +1,164 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml new file mode 100755 index 0000000000..e6791517a6 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: carbon_black_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset + value: carbon_black_cloud.asset_vulnerability_summary diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/ecs.yml new file mode 100755 index 0000000000..2888171bb0 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/ecs.yml @@ -0,0 +1,67 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: |- + Use the `os.type` field to categorize the operating system into one of the broad commercial families. + If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + name: host.os.type + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Scores can range from 0.0 to 10.0, with 10.0 being the most severe. + Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + name: vulnerability.score.base + type: float +- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + name: vulnerability.severity + type: keyword diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/fields.yml new file mode 100755 index 0000000000..a70b2974e8 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/fields/fields.yml @@ -0,0 +1,39 @@ +- name: carbon_black_cloud.asset_vulnerability_summary + type: group + fields: + - name: os_info + type: group + fields: + - name: os_arch + type: keyword + description: The identifier is for the Operating system architecture. + - name: last_sync + type: group + fields: + - name: timestamp + type: date + description: The identifier is for the Last sync time. + - name: sync + type: group + fields: + - name: status + type: keyword + description: The identifier is for the Device sync status. + - name: type + type: keyword + description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. + - name: type + type: keyword + description: The identifier is for the Device type. + - name: vm + type: group + fields: + - name: id + type: keyword + description: The identifier is for the Virtual Machine ID. + - name: name + type: keyword + description: The identifier is for the Virtual Machine name. + - name: vuln_count + type: integer + description: The identifier is for the Number of vulnerabilities at this level. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/manifest.yml new file mode 100755 index 0000000000..b7bf78f84d --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/manifest.yml @@ -0,0 +1,42 @@ +title: Asset Vulnerability Summary +type: logs +streams: + - input: httpjson + title: Collect asset vulnerability summary from Carbon Black Cloud + description: Collect asset vulnerability summary from Carbon Black Cloud. + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Interval to query asset vulnerability summary in Carbon Black Cloud. + multi: false + required: true + show_user: true + default: 1h + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-asset-vulnerability-summary + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/sample_event.json new file mode 100755 index 0000000000..18a138c167 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/asset_vulnerability_summary/sample_event.json @@ -0,0 +1,75 @@ +{ + "@timestamp": "2022-09-26T01:58:41.710Z", + "agent": { + "ephemeral_id": "818ffeea-8e73-497b-bc16-b13e6bb3010c", + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "carbon_black_cloud": { + "asset_vulnerability_summary": { + "last_sync": { + "timestamp": "2022-01-17T08:33:37.384Z" + }, + "os_info": { + "os_arch": "64-bit" + }, + "sync": { + "status": "COMPLETED", + "type": "SCHEDULED" + }, + "type": "ENDPOINT", + "vuln_count": 1770 + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.asset_vulnerability_summary", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-09-26T01:58:41.710Z", + "dataset": "carbon_black_cloud.asset_vulnerability_summary", + "ingested": "2022-09-26T01:58:45Z", + "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" + }, + "host": { + "hostname": "DESKTOP-008", + "id": "8", + "name": "DESKTOP-008KK", + "os": { + "name": "Microsoft Windows 10 Education", + "type": "windows", + "version": "10.0.17763" + } + }, + "input": { + "type": "httpjson" + }, + "related": { + "hosts": [ + "DESKTOP-008" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-asset-vulnerability-summary" + ], + "vulnerability": { + "score": { + "base": 10 + }, + "severity": "CRITICAL" + } +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.3.1/data_stream/audit/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..2693bd2bbb --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -0,0 +1,32 @@ +config_version: 2 +interval: {{interval}} +request.method: GET + +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} + +request.url: {{hostname}}/integrationServices/v3/auditlogs +request.transforms: + - set: + target: header.X-Auth-Token + value: {{api_secret_key}}/{{api_id}} +response.split: + target: body.notifications +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..ebf7661d61 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,93 @@ +--- +description: Pipeline for parsing Carbon Black Cloud audit logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.eventTime + target_field: "@timestamp" + ignore_failure: true + formats: + - UNIX_MS + - set: + field: event.kind + value: event + - set: + field: event.outcome + value: success + - set: + field: event.outcome + value: failure + if: ctx?.json?.flagged == true + - rename: + field: json.description + target_field: event.reason + - rename: + field: json.clientIp + target_field: client.ip + ignore_missing: true + - rename: + field: json.loginName + target_field: client.user.id + ignore_missing: true + - rename: + field: json.eventId + target_field: event.id + ignore_missing: true + - rename: + field: json.orgName + target_field: organization.name + ignore_missing: true + - urldecode: + field: json.requestUrl + target_field: url.original + ignore_missing: true + - rename: + field: json.verbose + target_field: carbon_black_cloud.audit.verbose + ignore_missing: true + - rename: + field: json.flagged + target_field: carbon_black_cloud.audit.flagged + ignore_missing: true + - append: + field: related.ip + value: "{{{client.ip}}}" + allow_duplicates: false + - remove: + field: json + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/base-fields.yml new file mode 100755 index 0000000000..a14e71251a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: carbon_black_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: carbon_black_cloud.audit diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/ecs.yml new file mode 100755 index 0000000000..1e5dc2f871 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/ecs.yml @@ -0,0 +1,66 @@ +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: organization.name + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/fields.yml new file mode 100755 index 0000000000..24af5d42b9 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/fields/fields.yml @@ -0,0 +1,9 @@ +- name: carbon_black_cloud.audit + type: group + fields: + - name: flagged + type: boolean + description: true if action is failed otherwise false. + - name: verbose + type: boolean + description: true if verbose audit log otherwise false. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.3.1/data_stream/audit/manifest.yml new file mode 100755 index 0000000000..929093a4ef --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/manifest.yml @@ -0,0 +1,42 @@ +title: Audit +type: logs +streams: + - input: httpjson + title: Collect audit logs from Carbon Black Cloud + description: Collect audit logs from Carbon Black Cloud. + template_path: httpjson.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch audit logs from Carbon Black Cloud. + multi: false + required: true + show_user: true + default: 1m + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.3.1/data_stream/audit/sample_event.json new file mode 100755 index 0000000000..d12c27c706 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/audit/sample_event.json @@ -0,0 +1,62 @@ +{ + "@timestamp": "2022-02-10T16:04:30.263Z", + "agent": { + "ephemeral_id": "a332765e-1e1f-4ec7-b24e-ae2d0dd5d74f", + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "carbon_black_cloud": { + "audit": { + "flagged": false, + "verbose": false + } + }, + "client": { + "ip": "10.10.10.10", + "user": { + "id": "abc@demo.com" + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-09-26T01:59:24.724Z", + "dataset": "carbon_black_cloud.audit", + "id": "2122f8ce8xxxxxxxxxxxxx", + "ingested": "2022-09-26T01:59:25Z", + "kind": "event", + "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", + "outcome": "success", + "reason": "Logged in successfully" + }, + "input": { + "type": "httpjson" + }, + "organization": { + "name": "cb-xxxx-xxxx.com" + }, + "related": { + "ip": [ + "10.10.10.10" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-audit" + ] +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs new file mode 100755 index 0000000000..26c4d05045 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,82 @@ +{{#if collect_s3_logs}} + +{{#if bucket_arn}} +bucket_arn: {{bucket_arn}} +{{/if}} +{{#if number_of_workers}} +number_of_workers: {{number_of_workers}} +{{/if}} +{{#if interval}} +bucket_list_interval: {{interval}} +{{/if}} +{{#if bucket_list_prefix}} +bucket_list_prefix: {{bucket_list_prefix}} +{{/if}} + +{{else}} + +{{#if queue_url}} +queue_url: {{queue_url}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if max_number_of_messages}} +max_number_of_messages: {{max_number_of_messages}} +{{/if}} +{{#if file_selectors}} +file_selectors: +{{file_selectors}} +{{/if}} +{{/if}} + +expand_event_list_from_field: Records +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if proxy_url}} +proxy_url: {{proxy_url}} +{{/if}} +tags: +{{#if collect_s3_logs}} + - collect_s3_logs +{{else}} + - collect_sqs_logs +{{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..4729351d25 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,593 @@ +--- +description: Pipeline for parsing Carbon Black Cloud Endpoint Events. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.create_time + target_field: "@timestamp" + ignore_failure: true + formats: + - ISO8601 + - rename: + field: json.action + target_field: event.action + ignore_missing: true + - rename: + field: json.event_id + target_field: event.id + ignore_missing: true + - rename: + field: json.event_description + target_field: event.reason + ignore_missing: true + - rename: + field: json.filemod_name + target_field: file.path + ignore_missing: true + - rename: + field: json.modload_name + target_field: dll.path + ignore_missing: true + - set: + field: network.transport + value: udp + if: ctx?.json?.netconn_protocol == "PROTO_UDP" + - set: + field: network.transport + value: tcp + if: ctx?.json?.netconn_protocol == "PROTO_TCP" + - set: + field: network.direction + value: inbound + if: ctx?.json?.netconn_inbound == true + - set: + field: network.direction + value: outbound + if: ctx?.json?.netconn_inbound == false + - rename: + field: json.remote_port + target_field: source.port + ignore_missing: true + - rename: + field: json.remote_ip + target_field: source.ip + ignore_missing: true + - rename: + field: json.netconn_domain + target_field: source.address + ignore_missing: true + - rename: + field: json.local_port + target_field: client.port + ignore_missing: true + - rename: + field: json.local_ip + target_field: client.ip + ignore_missing: true + - convert: + field: json.device_id + target_field: host.id + type: string + ignore_missing: true + - set: + field: host.os.type + value: windows + if: ctx?.json?.device_os == "WINDOWS" + - set: + field: host.os.type + value: linux + if: ctx?.json?.device_os == "LINUX" + - set: + field: host.os.type + value: macos + if: ctx?.json?.device_os == "MAC" + - rename: + field: json.device_name + target_field: host.hostname + ignore_missing: true + - grok: + field: host.hostname + patterns: + - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' + ignore_missing: true + ignore_failure: true + - set: + field: host.name + value: "{{{host.hostname}}}" + ignore_failure: true + - rename: + field: json.device_group + target_field: host.os.family + ignore_missing: true + - append: + field: host.ip + value: "{{{json.device_internal_ip}}}" + if: ctx?.json?.device_internal_ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: host.ip + value: "{{{json.device_external_ip}}}" + if: ctx?.json?.device_external_ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device_group + target_field: host.os.family + ignore_missing: true + - rename: + field: json.process_cmdline + target_field: process.command_line + ignore_missing: true + - rename: + field: json.process_guid + target_field: process.entity_id + ignore_missing: true + - rename: + field: json.process_path + target_field: process.executable + ignore_missing: true + - rename: + field: json.process_pid + target_field: process.pid + ignore_missing: true + - rename: + field: json.parent_cmdline + target_field: process.parent.command_line + ignore_missing: true + - rename: + field: json.parent_guid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: json.parent_path + target_field: process.parent.executable + ignore_missing: true + - rename: + field: json.parent_pid + target_field: process.parent.pid + ignore_missing: true + - rename: + field: json.regmod_name + target_field: registry.path + ignore_missing: true + - append: + field: related.ip + value: + - "{{{json.device_internal_ip}}}" + - "{{{json.device_external_ip}}}" + - "{{{json.netconn_proxy_ip}}}" + - "{{{source.ip}}}" + - "{{{client.ip}}}" + allow_duplicates: false + - append: + field: related.user + value: + - "{{{json.process_username}}}" + - "{{{json.childproc_username}}}" + allow_duplicates: false + - append: + field: related.hosts + value: + - "{{{host.hostname}}}" + - "{{{user.domain}}}" + allow_duplicates: false + - script: + description: Dynamically map MD5 and SHA256 hash + lang: painless + source: | + void mapHashField(def ctx, def hashes, def key) { + for (hash in hashes) { + if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} + if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} + } + } + if (ctx.json?.process_hash instanceof List) { + mapHashField(ctx, ctx.json?.process_hash, "process_hash"); + } + if (ctx.json?.parent_hash instanceof List) { + mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); + } + if (ctx.json?.filemod_hash instanceof List) { + mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash"); + } + if (ctx.json?.childproc_hash instanceof List) { + mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash"); + } + if (ctx.json?.crossproc_hash instanceof List) { + mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash"); + } + if (ctx.json?.scriptload_hash instanceof List) { + mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash"); + } + - rename: + field: json.process_hash_md5 + target_field: process.hash.md5 + ignore_missing: true + - rename: + field: json.process_hash_sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: json.parent_hash_md5 + target_field: process.parent.hash.md5 + ignore_missing: true + - rename: + field: json.parent_hash_sha256 + target_field: process.parent.hash.sha256 + ignore_missing: true + - rename: + field: json.backend_timestamp + target_field: carbon_black_cloud.endpoint_event.backend.timestamp + ignore_missing: true + - rename: + field: json.device_timestamp + target_field: carbon_black_cloud.endpoint_event.device.timestamp + ignore_missing: true + - rename: + field: json.device_os + target_field: carbon_black_cloud.endpoint_event.device.os + ignore_missing: true + - rename: + field: json.childproc_name + target_field: carbon_black_cloud.endpoint_event.childproc.name + ignore_missing: true + - rename: + field: json.org_key + target_field: carbon_black_cloud.endpoint_event.organization_key + ignore_missing: true + - rename: + field: json.process_duration + target_field: carbon_black_cloud.endpoint_event.process.duration + ignore_missing: true + - foreach: + field: json.process_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.process_publisher + target_field: carbon_black_cloud.endpoint_event.process.publisher + ignore_missing: true + - rename: + field: json.process_reputation + target_field: carbon_black_cloud.endpoint_event.process.reputation + ignore_missing: true + - rename: + field: json.process_terminated + target_field: carbon_black_cloud.endpoint_event.process.terminated + ignore_missing: true + - rename: + field: json.process_username + target_field: carbon_black_cloud.endpoint_event.process.username + ignore_missing: true + - rename: + field: json.parent_reputation + target_field: carbon_black_cloud.endpoint_event.process.parent.reputation + ignore_missing: true + - rename: + field: json.target_cmdline + target_field: carbon_black_cloud.endpoint_event.target_cmdline + ignore_missing: true + - rename: + field: json.type + target_field: carbon_black_cloud.endpoint_event.type + ignore_missing: true + +# Mapping for endpoint.event.crossproc event type + + - rename: + field: json.crossproc_action + target_field: carbon_black_cloud.endpoint_event.crossproc.action + ignore_missing: true + - rename: + field: json.crossproc_api + target_field: carbon_black_cloud.endpoint_event.crossproc.api + ignore_missing: true + - rename: + field: json.crossproc_guid + target_field: carbon_black_cloud.endpoint_event.crossproc.guid + ignore_missing: true + - rename: + field: json.crossproc_name + target_field: carbon_black_cloud.endpoint_event.crossproc.name + ignore_missing: true + - rename: + field: json.crossproc_target + target_field: carbon_black_cloud.endpoint_event.crossproc.target + ignore_missing: true + - rename: + field: json.crossproc_reputation + target_field: carbon_black_cloud.endpoint_event.crossproc.reputation + ignore_missing: true + - foreach: + field: json.crossproc_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.crossproc_publisher + target_field: carbon_black_cloud.endpoint_event.crossproc.publisher + ignore_missing: true + - rename: + field: json.crossproc_hash_md5 + target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5 + ignore_missing: true + - rename: + field: json.crossproc_hash_sha256 + target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256 + ignore_missing: true + +# Mapping for endpoint.event.filemod event type + + - rename: + field: json.filemod_hash_md5 + target_field: file.hash.md5 + ignore_missing: true + - rename: + field: json.filemod_hash_sha256 + target_field: file.hash.sha256 + ignore_missing: true + +# Mapping for endpoint.event.fileless_scriptload event type + + - rename: + field: json.fileless_scriptload_cmdline + target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline + ignore_missing: true + - rename: + field: json.fileless_scriptload_cmdline_length + target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length + ignore_missing: true + - rename: + field: json.fileless_scriptload_hash_md5 + target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 + ignore_missing: true + - rename: + field: json.fileless_scriptload_hash_sha256 + target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 + ignore_missing: true + +# Mapping for endpoint.event.moduleload event type + + - rename: + field: json.modload_md5 + target_field: dll.hash.md5 + ignore_missing: true + - rename: + field: json.modload_sha256 + target_field: dll.hash.sha256 + ignore_missing: true + - rename: + field: json.modload_effective_reputation + target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation + ignore_missing: true + - rename: + field: json.modload_count + target_field: carbon_black_cloud.endpoint_event.modload.count + ignore_missing: true + - foreach: + field: json.modload_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.modload_publisher + target_field: carbon_black_cloud.endpoint_event.modload.publisher + ignore_missing: true + +# Mapping for endpoint.event.netconn_proxy event type + + - rename: + field: json.netconn_proxy_domain + target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain + ignore_missing: true + - rename: + field: json.netconn_proxy_port + target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port + ignore_missing: true + - rename: + field: json.netconn_proxy_ip + target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip + ignore_missing: true + +# Mapping for endpoint.event.procstart event type + + - rename: + field: json.childproc_guid + target_field: carbon_black_cloud.endpoint_event.childproc.guid + ignore_missing: true + - rename: + field: json.childproc_name + target_field: carbon_black_cloud.endpoint_event.childproc.name + ignore_missing: true + - rename: + field: json.childproc_pid + target_field: carbon_black_cloud.endpoint_event.childproc.pid + ignore_missing: true + - foreach: + field: json.childproc_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.childproc_publisher + target_field: carbon_black_cloud.endpoint_event.childproc.publisher + ignore_missing: true + - rename: + field: json.childproc_reputation + target_field: carbon_black_cloud.endpoint_event.childproc.reputation + ignore_missing: true + - rename: + field: json.childproc_username + target_field: carbon_black_cloud.endpoint_event.childproc.username + ignore_missing: true + - rename: + field: json.childproc_hash_md5 + target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5 + ignore_missing: true + - rename: + field: json.childproc_hash_sha256 + target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256 + ignore_missing: true + +# Mapping for NGAV endpoint.event.scriptload event type + + - rename: + field: json.scriptload_name + target_field: carbon_black_cloud.endpoint_event.scriptload.name + ignore_missing: true + - foreach: + field: json.scriptload_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.scriptload_publisher + target_field: carbon_black_cloud.endpoint_event.scriptload.publisher + ignore_missing: true + - rename: + field: json.scriptload_count + target_field: carbon_black_cloud.endpoint_event.scriptload.count + ignore_missing: true + - rename: + field: json.scriptload_hash_md5 + target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 + ignore_missing: true + - rename: + field: json.scriptload_hash_sha256 + target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256 + ignore_missing: true + - rename: + field: json.scriptload_effective_reputation + target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation + ignore_missing: true + - rename: + field: json.scriptload_reputation + target_field: carbon_black_cloud.endpoint_event.scriptload.reputation + ignore_missing: true + - rename: + field: json.device_internal_ip + target_field: carbon_black_cloud.endpoint_event.device.internal_ip + ignore_missing: true + - rename: + field: json.device_external_ip + target_field: carbon_black_cloud.endpoint_event.device.external_ip + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + - append: + field: related.hash + value: + - "{{{process.hash.md5}}}" + - "{{{process.hash.sha256}}}" + - "{{{process.parent.hash.md5}}}" + - "{{{process.parent.hash.sha256}}}" + - "{{{file.hash.md5}}}" + - "{{{file.hash.sha256}}}" + - "{{{dll.hash.md5}}}" + - "{{{dll.hash.sha256}}}" + - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}" + - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}" + - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}" + - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}" + - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}" + - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}" + - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}" + - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}" + allow_duplicates: false + - script: + description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue(); + } + - remove: + field: + - json + - carbon_black_cloud.endpoint_event.create_time + - carbon_black_cloud.endpoint_event.device_id + - carbon_black_cloud.endpoint_event.process_hash + - carbon_black_cloud.endpoint_event.parent_hash + - carbon_black_cloud.endpoint_event.crossproc_hash + - carbon_black_cloud.endpoint_event.filemod_hash + - carbon_black_cloud.endpoint_event.childproc_hash + - carbon_black_cloud.endpoint_event.modload_hash + - carbon_black_cloud.endpoint_event.scriptload_hash + - carbon_black_cloud.endpoint_event.netconn_inbound + - carbon_black_cloud.endpoint_event.netconn_protocol + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - script: + description: Remove duplicate values + lang: painless + source: | + if (ctx?.related?.user != null) { + ctx.related.user = new HashSet(ctx.related.user) + } + if (ctx?.related?.ip != null) { + ctx.related.ip = new HashSet(ctx.related.ip) + } + if (ctx?.related?.hash != null) { + def hashes = new HashSet(ctx.related.hash); + def hash = new ArrayList(); + for (def h: hashes) { + hash.add(h); + } + Collections.sort(hash); + ctx.related.hash = hash; + } +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/agent.yml new file mode 100755 index 0000000000..643c71067e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/base-fields.yml new file mode 100755 index 0000000000..9b3253d2db --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: carbon_black_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: carbon_black_cloud.endpoint_event diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/ecs.yml new file mode 100755 index 0000000000..770f024b15 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/ecs.yml @@ -0,0 +1,203 @@ +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: MD5 hash. + name: dll.hash.md5 + type: keyword +- description: SHA256 hash. + name: dll.hash.sha256 + type: keyword +- description: Full file path of the library. + name: dll.path + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: host.os.family + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: SHA256 hash. + name: process.parent.hash.sha256 + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: Process id. + name: process.pid + type: long +- description: Full path, including hive, key and value + name: registry.path + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/fields.yml new file mode 100755 index 0000000000..199988ffb6 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/fields/fields.yml @@ -0,0 +1,239 @@ +- name: carbon_black_cloud.endpoint_event + type: group + fields: + - name: alert_id + type: keyword + description: The ID of the Alert this event is associated with. + - name: backend + type: group + fields: + - name: timestamp + type: keyword + description: Time when the backend received the batch of events. + - name: childproc + type: group + fields: + - name: guid + type: keyword + description: Unique ID of the child process. + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: Cryptographic MD5 hashes of the executable file backing the child process. + - name: sha256 + type: keyword + description: Cryptographic SHA256 hashes of the executable file backing the child process. + - name: name + type: keyword + description: Full path to the target of the crossproc event on the device's local file system. + - name: pid + type: long + description: OS-reported Process ID of the child process. + - name: publisher + type: group + description: Signature entry for the childproc as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. + - name: reputation + type: keyword + description: Carbon Black Cloud Reputation string for the childproc. + - name: username + type: keyword + description: The username associated with the user context that the child process was started under. + - name: crossproc + type: group + fields: + - name: action + type: keyword + description: The action taken on cross-process. + - name: api + type: keyword + description: Name of the operating system API called by the actor process. + - name: guid + type: keyword + description: Unique ID of the cross process. + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: Cryptographic MD5 hashes of the target of the crossproc event. + - name: sha256 + type: keyword + description: Cryptographic SHA256 hashes of the target of the crossproc event. + - name: name + type: keyword + description: Full path to the target of the crossproc event on the device's local file system. + - name: publisher + type: group + description: Signature entry for the crossproc as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. + - name: reputation + type: keyword + description: Carbon Black Cloud Reputation string for the crossproc. + - name: target + type: boolean + description: True if the process was the target of the cross-process event; false if the process was the actor. + - name: device + type: group + fields: + - name: os + type: keyword + description: Os name. + - name: timestamp + type: keyword + description: Time seen on sensor. + - name: internal_ip + type: ip + description: Internal IP of the device. + - name: external_ip + type: ip + description: External IP of the device. + - name: event_origin + type: keyword + description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. + - name: fileless_scriptload + type: group + fields: + - name: cmdline + type: keyword + description: Deobfuscated script content run in a fileless context by the process. + - name: cmdline_length + type: keyword + description: Character count of the deobfuscated script content run in a fileless context. + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: MD5 hash of the deobfuscated script content run by the process in a fileless context. + - name: sha256 + type: keyword + description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context. + - name: modload + type: group + fields: + - name: count + type: long + description: Count of modload events reported by the sensor since last initialization. + - name: effective_reputation + type: keyword + description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. + - name: publisher + type: group + description: Signature entry for the moduleload as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. + - name: netconn + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. + - name: ip + type: keyword + description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. + - name: port + type: keyword + description: UDP/TCP port number associated with the "proxy" end of this network connection. + - name: organization_key + type: keyword + description: The organization key associated with the console instance. + - name: process + type: group + fields: + - name: duration + type: long + description: The time difference in seconds between the process start and process terminate event. + - name: parent + type: group + fields: + - name: reputation + type: keyword + description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. + - name: publisher + type: group + description: Signature entry for the process as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. + - name: reputation + type: keyword + description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. + - name: terminated + type: boolean + description: True if process was terminated elase false. + - name: username + type: keyword + description: The username associated with the user context that this process was started under. + - name: schema + type: long + description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. + - name: scriptload + type: group + fields: + - name: count + type: long + description: Count of scriptload events across all processes reported by the sensor since last initialization. + - name: effective_reputation + type: keyword + description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. + - name: hash + type: group + fields: + - name: md5 + type: keyword + description: Cryptographic MD5 hashes of the target of the scriptload event. + - name: sha256 + type: keyword + description: Cryptographic SHA256 hashes of the target of the scriptload event. + - name: name + type: keyword + description: Full path to the target of the crossproc event on the device's local file system. + - name: publisher + type: group + description: Signature entry for the scriptload as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. + - name: reputation + type: keyword + description: Carbon Black Cloud Reputation string for the scriptload. + - name: sensor_action + type: keyword + description: The sensor action taken on event. + - name: target_cmdline + type: keyword + description: Process command line associated with the target process. + - name: type + type: keyword + description: The event type. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/manifest.yml new file mode 100755 index 0000000000..5770608c6a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/manifest.yml @@ -0,0 +1,89 @@ +title: Endpoint Event +type: logs +streams: + - input: aws-s3 + title: Collect endpoint events from Carbon Black Cloud + description: Collect endpoint events from Carbon Black Cloud. + template_path: aws-s3.yml.hbs + vars: + - name: bucket_list_prefix + type: text + title: '[S3] Bucket Prefix' + multi: false + required: false + show_user: true + default: endpoint_event_logs + description: Prefix to apply for the list request to the S3 bucket. + - name: interval + type: text + title: '[S3] Interval' + multi: false + required: false + show_user: true + default: 1m + description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. + - name: number_of_workers + type: integer + title: '[S3] Number of Workers' + multi: false + required: false + show_user: true + default: 5 + description: Number of workers that will process the S3 objects listed. + - name: visibility_timeout + type: text + title: '[SQS] Visibility Timeout' + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s. + - name: api_timeout + type: text + title: '[SQS] API Timeout' + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s. + - name: max_number_of_messages + type: integer + title: '[SQS] Maximum Concurrent SQS Messages' + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. + - name: file_selectors + type: yaml + title: '[SQS] File Selectors' + multi: false + required: false + show_user: false + default: | + - regex: 'endpoint_event_logs/' + description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-endpoint-event + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/sample_event.json new file mode 100755 index 0000000000..f025682463 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/endpoint_event/sample_event.json @@ -0,0 +1,96 @@ +{ + "process": { + "parent": { + "pid": 1684, + "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", + "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", + "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", + "hash": { + "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", + "md5": "03dd698da2671383c9b4f868c9931879" + } + }, + "pid": 4880, + "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", + "command_line": "\"route.exe\" print", + "executable": "c:\\windows\\system32\\route.exe", + "hash": { + "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", + "md5": "2498272dc48446891182747428d02a30" + } + }, + "ecs": { + "version": "8.3.0" + }, + "carbon_black_cloud": { + "endpoint_event": { + "schema": 1, + "event_origin": "EDR", + "process": { + "duration": 2, + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": true, + "username": "NT AUTHORITY\\SYSTEM" + }, + "organization_key": "XXXXXXXX", + "backend": { + "timestamp": "2022-02-10 11:52:50 +0000 UTC" + }, + "target_cmdline": "\"route.exe\" print", + "type": "endpoint.event.procend", + "device": { + "os": "WINDOWS", + "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", + "external_ip": "67.43.156.12" + }, + "sensor_action": "ACTION_ALLOW" + } + }, + "host": { + "hostname": "client-cb2", + "id": "4034605", + "os": { + "type": "windows" + }, + "ip": [ + "67.43.156.13" + ] + }, + "event": { + "action": "ACTION_PROCESS_TERMINATE", + "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" + }, + "data_stream": { + "dataset": "carbon_black_cloud.endpoint_event", + "namespace": "ep", + "type": "logs" + }, + "elastic_agent": { + "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", + "snapshot": true, + "version": "8.0.0" + }, + "input": { + "type": "aws-s3" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-endpoint-event" + ] +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs new file mode 100755 index 0000000000..26c4d05045 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,82 @@ +{{#if collect_s3_logs}} + +{{#if bucket_arn}} +bucket_arn: {{bucket_arn}} +{{/if}} +{{#if number_of_workers}} +number_of_workers: {{number_of_workers}} +{{/if}} +{{#if interval}} +bucket_list_interval: {{interval}} +{{/if}} +{{#if bucket_list_prefix}} +bucket_list_prefix: {{bucket_list_prefix}} +{{/if}} + +{{else}} + +{{#if queue_url}} +queue_url: {{queue_url}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if max_number_of_messages}} +max_number_of_messages: {{max_number_of_messages}} +{{/if}} +{{#if file_selectors}} +file_selectors: +{{file_selectors}} +{{/if}} +{{/if}} + +expand_event_list_from_field: Records +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if proxy_url}} +proxy_url: {{proxy_url}} +{{/if}} +tags: +{{#if collect_s3_logs}} + - collect_s3_logs +{{else}} + - collect_sqs_logs +{{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..f59084b05a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,299 @@ +--- +description: Pipeline for parsing Carbon Black Cloud watchlist hit. +processors: + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: event + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.create_time + target_field: "@timestamp" + ignore_failure: true + formats: + - ISO8601 + - rename: + field: json.severity + target_field: event.severity + ignore_missing: true + - convert: + field: json.device_id + target_field: host.id + type: string + ignore_missing: true + - set: + field: host.os.type + value: windows + if: ctx?.json?.device_os == "WINDOWS" + - set: + field: host.os.type + value: linux + if: ctx?.json?.device_os == "LINUX" + - set: + field: host.os.type + value: macos + if: ctx?.json?.device_os == "MAC" + - rename: + field: json.device_os_version + target_field: host.os.version + ignore_missing: true + - rename: + field: json.device_name + target_field: host.hostname + ignore_missing: true + - grok: + field: host.hostname + patterns: + - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' + ignore_missing: true + ignore_failure: true + - set: + field: host.name + value: "{{{host.hostname}}}" + ignore_failure: true + - append: + field: host.ip + value: "{{{json.device_internal_ip}}}" + if: ctx?.json?.device_internal_ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: host.ip + value: "{{{json.device_external_ip}}}" + if: ctx?.json?.device_external_ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.process_cmdline + target_field: process.command_line + ignore_missing: true + - rename: + field: json.process_guid + target_field: process.entity_id + ignore_missing: true + - rename: + field: json.process_path + target_field: process.executable + ignore_missing: true + - rename: + field: json.process_pid + target_field: process.pid + ignore_missing: true + - rename: + field: json.parent_cmdline + target_field: process.parent.command_line + ignore_missing: true + - rename: + field: json.parent_guid + target_field: process.parent.entity_id + ignore_missing: true + - rename: + field: json.parent_path + target_field: process.parent.executable + ignore_missing: true + - rename: + field: json.parent_pid + target_field: process.parent.pid + ignore_missing: true + - append: + field: related.ip + value: + - "{{{json.device_internal_ip}}}" + - "{{{json.device_external_ip}}}" + allow_duplicates: false + - append: + field: related.user + value: + - "{{{json.parent_username}}}" + - "{{{json.process_username}}}" + allow_duplicates: false + - append: + field: related.hosts + value: + - "{{{host.hostname}}}" + - "{{{user.domain}}}" + allow_duplicates: false + - script: + description: Dynamically map MD5 and SHA256 hash + lang: painless + source: | + void mapHashField(def ctx, def hashes, def key) { + for (hash in hashes) { + if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} + if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} + } + } + if (ctx.json?.process_hash instanceof List) { + mapHashField(ctx, ctx.json?.process_hash, "process_hash"); + } + if (ctx.json?.parent_hash instanceof List) { + mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); + } + - rename: + field: json.process_hash_md5 + target_field: process.hash.md5 + ignore_missing: true + - rename: + field: json.process_hash_sha256 + target_field: process.hash.sha256 + ignore_missing: true + - rename: + field: json.parent_hash_md5 + target_field: process.parent.hash.md5 + ignore_missing: true + - rename: + field: json.parent_hash_sha256 + target_field: process.parent.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: + - "{{{process.hash.md5}}}" + - "{{{process.hash.sha256}}}" + - "{{{process.parent.hash.md5}}}" + - "{{{process.parent.hash.sha256}}}" + allow_duplicates: false + - rename: + field: json.device_os + target_field: carbon_black_cloud.watchlist_hit.device.os + ignore_missing: true + - rename: + field: json.device_internal_ip + target_field: carbon_black_cloud.watchlist_hit.device.internal_ip + ignore_missing: true + - rename: + field: json.device_external_ip + target_field: carbon_black_cloud.watchlist_hit.device.external_ip + ignore_missing: true + - rename: + field: json.ioc_hit + target_field: carbon_black_cloud.watchlist_hit.ioc.hit + ignore_missing: true + - rename: + field: json.ioc_id + target_field: carbon_black_cloud.watchlist_hit.ioc.id + ignore_missing: true + - rename: + field: json.org_key + target_field: carbon_black_cloud.watchlist_hit.organization_key + ignore_missing: true + - foreach: + field: json.parent_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.parent_publisher + target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher + ignore_missing: true + - rename: + field: json.parent_reputation + target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation + ignore_missing: true + - rename: + field: json.parent_username + target_field: carbon_black_cloud.watchlist_hit.process.parent.username + ignore_missing: true + - foreach: + field: json.process_publisher + processor: + split: + field: _ingest._value.state + separator: " \\| " + ignore_missing: true + ignore_missing: true + ignore_failure: true + - rename: + field: json.process_publisher + target_field: carbon_black_cloud.watchlist_hit.process.publisher + ignore_missing: true + - rename: + field: json.process_reputation + target_field: carbon_black_cloud.watchlist_hit.process.reputation + ignore_missing: true + - rename: + field: json.process_username + target_field: carbon_black_cloud.watchlist_hit.process.username + ignore_missing: true + - rename: + field: json.report_id + target_field: carbon_black_cloud.watchlist_hit.report.id + ignore_missing: true + - rename: + field: json.report_name + target_field: carbon_black_cloud.watchlist_hit.report.name + ignore_missing: true + - rename: + field: json.report_tags + target_field: carbon_black_cloud.watchlist_hit.report.tags + ignore_missing: true + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + - script: + description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit + lang: painless + if: ctx?.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue(); + } + - remove: + field: + - json + - carbon_black_cloud.watchlist_hit.create_time + - carbon_black_cloud.watchlist_hit.device_id + - carbon_black_cloud.watchlist_hit.process_hash + - carbon_black_cloud.watchlist_hit.parent_hash + ignore_missing: true + - script: + description: Remove duplicate values + lang: painless + source: | + if (ctx?.related?.user != null) { + ctx.related.user = new HashSet(ctx.related.user) + } + if (ctx?.related?.hash != null) { + def hashes = new HashSet(ctx.related.hash); + def hash = new ArrayList(); + for (def h: hashes) { + hash.add(h); + } + Collections.sort(hash); + ctx.related.hash = hash; + } +on_failure: + - set: + field: error.message + value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/agent.yml new file mode 100755 index 0000000000..1ff9745963 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/agent.yml @@ -0,0 +1,177 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/base-fields.yml new file mode 100755 index 0000000000..89df536282 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: carbon_black_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: carbon_black_cloud.watchlist_hit diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/ecs.yml new file mode 100755 index 0000000000..77c05e054a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/ecs.yml @@ -0,0 +1,145 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + Use the `os.type` field to categorize the operating system into one of the broad commercial families. + If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + name: host.os.type + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.parent.command_line + type: wildcard +- description: |- + Unique identifier for the process. + The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. + Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + name: process.parent.entity_id + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.parent.executable + type: keyword +- description: MD5 hash. + name: process.parent.hash.md5 + type: keyword +- description: SHA256 hash. + name: process.parent.hash.sha256 + type: keyword +- description: Process id. + name: process.parent.pid + type: long +- description: Process id. + name: process.pid + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/fields.yml new file mode 100755 index 0000000000..25cb25005e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/fields/fields.yml @@ -0,0 +1,89 @@ +- name: carbon_black_cloud.watchlist_hit + type: group + fields: + - name: device + type: group + fields: + - name: os + type: keyword + description: OS Type of device (Windows/OSX/Linux). + - name: internal_ip + type: ip + description: Internal IP of the device. + - name: external_ip + type: ip + description: External IP of the device. + - name: ioc + type: group + fields: + - name: field + type: keyword + description: Field the IOC hit contains. + - name: hit + type: keyword + description: IOC field value, or IOC query that matches. + - name: id + type: keyword + description: ID of the IOC that caused the hit. + - name: organization_key + type: keyword + description: The organization key associated with the console instance. + - name: process + type: group + fields: + - name: parent + type: group + fields: + - name: publisher + type: group + description: signature entry for the process as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. + - name: reputation + type: keyword + description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. + - name: username + type: keyword + description: The username associated with the user context that this process was started under. + - name: publisher + type: group + description: signature entry for the process as reported by the endpoint. + - name: reputation + type: keyword + description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. + - name: username + type: keyword + description: The username associated with the user context that this process was started under. + - name: report + type: group + fields: + - name: id + type: keyword + description: ID of the watchlist report(s) that detected a hit on the process. + - name: name + type: keyword + description: Name of the watchlist report(s) that detected a hit on the process. + - name: tags + type: keyword + description: List of tags associated with the report(s) that detected a hit on the process. + - name: schema + type: long + description: Schema version. + - name: type + type: keyword + description: The watchlist hit type. + - name: watchlists + type: group + description: List of watchlists that contain the report of the ioc hit. + fields: + - name: id + type: keyword + description: The ID of the watchlists. + - name: name + type: keyword + description: The name of the watchlists. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/manifest.yml new file mode 100755 index 0000000000..f522dac85c --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/manifest.yml @@ -0,0 +1,89 @@ +title: Watchlist Hit +type: logs +streams: + - input: aws-s3 + title: Collect watchlist hit from Carbon Black Cloud + description: Collect watchlist hit from Carbon Black Cloud. + template_path: aws-s3.yml.hbs + vars: + - name: bucket_list_prefix + type: text + title: '[S3] Bucket Prefix' + multi: false + required: false + show_user: true + default: watchlist_hit_logs + description: Prefix to apply for the list request to the S3 bucket. + - name: interval + type: text + title: '[S3] Interval' + multi: false + required: false + show_user: true + default: 1m + description: Time interval for polling listing of the S3 bucket. NOTE:- Supported units for this parameter are h/m/s. + - name: number_of_workers + type: integer + title: '[S3] Number of Workers' + multi: false + required: false + show_user: true + default: 5 + description: Number of workers that will process the S3 objects listed. + - name: visibility_timeout + type: text + title: '[SQS] Visibility Timeout' + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. NOTE:- Supported units for this parameter are h/m/s. + - name: api_timeout + type: text + title: '[SQS] API Timeout' + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. NOTE:- Supported units for this parameter are h/m/s. + - name: max_number_of_messages + type: integer + title: '[SQS] Maximum Concurrent SQS Messages' + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. + - name: file_selectors + type: yaml + title: '[SQS] File Selectors' + multi: false + required: false + show_user: false + default: | + - regex: 'watchlist_hit_logs/' + description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-watchlist-hit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/sample_event.json new file mode 100755 index 0000000000..ec2206a46e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/data_stream/watchlist_hit/sample_event.json @@ -0,0 +1,130 @@ +{ + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-watchlist-hit" + ], + "input": { + "type": "aws-s3" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "carbon_black_cloud.watchlist_hit" + }, + "agent": { + "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.3.0" + }, + "process": { + "parent": { + "pid": 4076, + "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", + "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", + "executable": "c:\\windows\\syswow64\\cmd.exe", + "hash": { + "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", + "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" + } + }, + "pid": 7516, + "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", + "command_line": "sc query aella_conf ", + "executable": "c:\\windows\\syswow64\\sc.exe", + "hash": { + "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", + "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" + } + }, + "carbon_black_cloud": { + "watchlist_hit": { + "schema": 1, + "process": { + "parent": { + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_WHITE", + "username": "NT AUTHORITY\\SYSTEM" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_WHITE", + "username": "NT AUTHORITY\\SYSTEM" + }, + "organization_key": "xxxxxxxx", + "report": { + "name": "Discovery - System Service Discovery Detected", + "id": "CFnKBKLTv6hUkBGFobRdg-565571", + "tags": [ + "attack", + "attackframework", + "threathunting", + "hunting", + "t1007", + "recon", + "discovery", + "windows" + ] + }, + "watchlists": [ + { + "name": "ATT\u0026CK Framework", + "id": "P5f9AW29TGmTOvBW156Cig" + } + ], + "type": "watchlist.hit", + "ioc": { + "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", + "id": "565571-0" + }, + "device": { + "internal_ip": "10.10.156.12", + "external_ip": "67.43.156.12", + "os": "WINDOWS" + } + } + }, + "host": { + "hostname": "Carbonblack-win1", + "os": { + "type": "windows" + }, + "ip": [ + "10.10.156.12", + "67.43.156.12" + ], + "id": "4467271" + }, + "event": { + "kind": "event", + "severity": 3, + "agent_id_status": "verified", + "ingested": "2022-02-17T07:23:31Z", + "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", + "dataset": "carbon_black_cloud.watchlist_hit" + } +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/docs/README.md b/packages/carbon_black_cloud/1.3.1/docs/README.md new file mode 100755 index 0000000000..dcb13af2a3 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/docs/README.md @@ -0,0 +1,1062 @@ +# VMware Carbon Black Cloud + +The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. + +## Compatibility + +This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. + +## Requirements + +### In order to ingest data from the AWS S3 bucket you must: +1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket. +2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). +3. The default value of the "Bucket List Prefix" is listed below. However, the user can set the parameter "Bucket List Prefix" according to the requirement. + + | Data Stream Name | Bucket List Prefix | + | ----------------- | ---------------------- | + | Alert | alert_logs | + | Endpoint Event | endpoint_event_logs | + | Watchlist Hit | watchlist_hit_logs | + +### To collect data from AWS SQS, follow the below steps: +1. If data forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation. +2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). + - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket. +3. Setup event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). + - The user has to perform Step 3 for all the data-streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `alert_logs/` for alert data stream.) + - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2. + +**Note**: + - Credentials for the above AWS S3 and SQS input types should be configured using the [link](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config). + - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case. + +### In order to ingest data from the APIs you must generate API keys and API Secret Keys: +1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. +2. Click Add API Key. +3. Give the API key a unique name and description. + - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. + **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. + - Optional: Add authorized IP addresses. + - You can restrict the use of an API key to a specific set of IP addresses for security reasons. + **Note:** Authorized IP addresses are not available with Custom keys. +4. To apply the changes, click Save. + +#### Access Levels & Permissions +- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included. + +| Data stream | Access Level and Permissions | +| --------------------------- | ------------------------------------------ | +| Audit | API | +| Alert | Custom orgs.alerts (Read) | +| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) | + + +## Note + +- The alert data stream has a 15-minute delay to ensure that no occurrences are missed. + +## Logs + +### Audit + +This is the `audit` dataset. + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2022-02-10T16:04:30.263Z", + "agent": { + "ephemeral_id": "a332765e-1e1f-4ec7-b24e-ae2d0dd5d74f", + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "carbon_black_cloud": { + "audit": { + "flagged": false, + "verbose": false + } + }, + "client": { + "ip": "10.10.10.10", + "user": { + "id": "abc@demo.com" + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-09-26T01:59:24.724Z", + "dataset": "carbon_black_cloud.audit", + "id": "2122f8ce8xxxxxxxxxxxxx", + "ingested": "2022-09-26T01:59:25Z", + "kind": "event", + "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", + "outcome": "success", + "reason": "Logged in successfully" + }, + "input": { + "type": "httpjson" + }, + "organization": { + "name": "cb-xxxx-xxxx.com" + }, + "related": { + "ip": [ + "10.10.10.10" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-audit" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | +| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| related.ip | All of the IPs seen on your event. | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | + + +### Alert + +This is the `alert` dataset. + +An example event for `alert` looks as following: + +```json +{ + "@timestamp": "2020-11-17T22:05:13.000Z", + "agent": { + "ephemeral_id": "cc329655-90f8-4dc9-8014-e152f2b949da", + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "carbon_black_cloud": { + "alert": { + "category": "warning", + "device": { + "external_ip": "81.2.69.143", + "internal_ip": "81.2.69.144", + "location": "UNKNOWN", + "os": "WINDOWS" + }, + "last_update_time": "2020-11-17T22:05:13Z", + "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", + "organization_key": "ABCD6X3T", + "policy": { + "applied": "APPLIED", + "id": 6997287, + "name": "Standard" + }, + "product_id": "0x5406", + "product_name": "U3 Cruzer Micro", + "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", + "run_state": "DID_NOT_RUN", + "sensor_action": "DENY", + "serial_number": "0875920EF7C2A304", + "target_value": "MEDIUM", + "threat_cause": { + "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", + "threat_category": "NON_MALWARE", + "vector": "REMOVABLE_MEDIA" + }, + "threat_id": "t5678", + "type": "DEVICE_CONTROL", + "vendor_id": "0x0781", + "vendor_name": "SanDisk", + "workflow": { + "changed_by": "Carbon Black", + "last_update_time": "2020-11-17T22:02:16Z", + "state": "OPEN" + } + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-09-26T01:58:04.610Z", + "dataset": "carbon_black_cloud.alert", + "end": "2020-11-17T22:02:16Z", + "id": "test1", + "ingested": "2022-09-26T01:58:05Z", + "kind": "alert", + "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", + "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", + "severity": 3, + "start": "2020-11-17T22:02:16Z", + "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" + }, + "host": { + "hostname": "DESKTOP-002", + "id": "2", + "ip": [ + "81.2.69.144", + "81.2.69.143" + ], + "name": "DESKTOP-002", + "os": { + "type": "windows", + "version": "Windows 10 x64" + } + }, + "input": { + "type": "httpjson" + }, + "related": { + "hosts": [ + "DESKTOP-002" + ], + "ip": [ + "81.2.69.144", + "81.2.69.143" + ], + "user": [ + "test34@demo.com" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-alert" + ], + "user": { + "name": "test34@demo.com" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword | +| carbon_black_cloud.alert.category | The category of the alert. | keyword | +| carbon_black_cloud.alert.count | | long | +| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | +| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | +| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | +| carbon_black_cloud.alert.device.location | The Location of device. | keyword | +| carbon_black_cloud.alert.device.os | OS of the device. | keyword | +| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | +| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | +| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | +| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | +| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword | +| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword | +| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword | +| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean | +| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | +| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword | +| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long | +| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword | +| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | +| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword | +| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | +| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | +| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | +| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | +| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | +| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | +| carbon_black_cloud.alert.status | status of alert. | keyword | +| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | +| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword | +| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword | +| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword | +| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword | +| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword | +| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword | +| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword | +| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword | +| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword | +| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword | +| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword | +| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword | +| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword | +| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword | +| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | +| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword | +| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword | +| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword | +| carbon_black_cloud.alert.type | Type of alert. | keyword | +| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | +| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword | +| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword | +| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword | +| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword | +| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword | +| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | +| carbon_black_cloud.alert.workflow.remediation | N/A | keyword | +| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +### Endpoint Event + +This is the `endpoint_event` dataset. + +An example event for `endpoint_event` looks as following: + +```json +{ + "process": { + "parent": { + "pid": 1684, + "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", + "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", + "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", + "hash": { + "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", + "md5": "03dd698da2671383c9b4f868c9931879" + } + }, + "pid": 4880, + "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", + "command_line": "\"route.exe\" print", + "executable": "c:\\windows\\system32\\route.exe", + "hash": { + "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", + "md5": "2498272dc48446891182747428d02a30" + } + }, + "ecs": { + "version": "8.3.0" + }, + "carbon_black_cloud": { + "endpoint_event": { + "schema": 1, + "event_origin": "EDR", + "process": { + "duration": 2, + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": true, + "username": "NT AUTHORITY\\SYSTEM" + }, + "organization_key": "XXXXXXXX", + "backend": { + "timestamp": "2022-02-10 11:52:50 +0000 UTC" + }, + "target_cmdline": "\"route.exe\" print", + "type": "endpoint.event.procend", + "device": { + "os": "WINDOWS", + "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", + "external_ip": "67.43.156.12" + }, + "sensor_action": "ACTION_ALLOW" + } + }, + "host": { + "hostname": "client-cb2", + "id": "4034605", + "os": { + "type": "windows" + }, + "ip": [ + "67.43.156.13" + ] + }, + "event": { + "action": "ACTION_PROCESS_TERMINATE", + "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" + }, + "data_stream": { + "dataset": "carbon_black_cloud.endpoint_event", + "namespace": "ep", + "type": "logs" + }, + "elastic_agent": { + "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", + "snapshot": true, + "version": "8.0.0" + }, + "input": { + "type": "aws-s3" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-endpoint-event" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword | +| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword | +| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword | +| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword | +| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword | +| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | +| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long | +| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | +| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword | +| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean | +| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip | +| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip | +| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword | +| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword | +| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword | +| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword | +| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword | +| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword | +| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword | +| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long | +| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword | +| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword | +| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword | +| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword | +| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword | +| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long | +| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | +| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | +| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean | +| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword | +| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long | +| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long | +| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword | +| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword | +| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword | +| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword | +| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword | +| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword | +| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | +| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | +| carbon_black_cloud.endpoint_event.type | The event type. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dll.hash.md5 | MD5 hash. | keyword | +| dll.hash.sha256 | SHA256 hash. | keyword | +| dll.path | Full file path of the library. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| registry.path | Full path, including hive, key and value | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | + + +### Watchlist Hit + +This is the `watchlist_hit` dataset. + +An example event for `watchlist_hit` looks as following: + +```json +{ + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-watchlist-hit" + ], + "input": { + "type": "aws-s3" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "carbon_black_cloud.watchlist_hit" + }, + "agent": { + "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", + "type": "filebeat", + "version": "8.0.0" + }, + "ecs": { + "version": "8.3.0" + }, + "process": { + "parent": { + "pid": 4076, + "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", + "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", + "executable": "c:\\windows\\syswow64\\cmd.exe", + "hash": { + "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", + "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" + } + }, + "pid": 7516, + "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", + "command_line": "sc query aella_conf ", + "executable": "c:\\windows\\syswow64\\sc.exe", + "hash": { + "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", + "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" + } + }, + "carbon_black_cloud": { + "watchlist_hit": { + "schema": 1, + "process": { + "parent": { + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_WHITE", + "username": "NT AUTHORITY\\SYSTEM" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_WHITE", + "username": "NT AUTHORITY\\SYSTEM" + }, + "organization_key": "xxxxxxxx", + "report": { + "name": "Discovery - System Service Discovery Detected", + "id": "CFnKBKLTv6hUkBGFobRdg-565571", + "tags": [ + "attack", + "attackframework", + "threathunting", + "hunting", + "t1007", + "recon", + "discovery", + "windows" + ] + }, + "watchlists": [ + { + "name": "ATT\u0026CK Framework", + "id": "P5f9AW29TGmTOvBW156Cig" + } + ], + "type": "watchlist.hit", + "ioc": { + "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", + "id": "565571-0" + }, + "device": { + "internal_ip": "10.10.156.12", + "external_ip": "67.43.156.12", + "os": "WINDOWS" + } + } + }, + "host": { + "hostname": "Carbonblack-win1", + "os": { + "type": "windows" + }, + "ip": [ + "10.10.156.12", + "67.43.156.12" + ], + "id": "4467271" + }, + "event": { + "kind": "event", + "severity": 3, + "agent_id_status": "verified", + "ingested": "2022-02-17T07:23:31Z", + "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", + "dataset": "carbon_black_cloud.watchlist_hit" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip | +| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip | +| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword | +| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword | +| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword | +| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword | +| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword | +| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | +| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | +| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | +| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | +| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | +| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | +| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword | +| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword | +| carbon_black_cloud.watchlist_hit.schema | Schema version. | long | +| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | +| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | +| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | + + +### Asset Vulnerability Summary + +This is the `asset_vulnerability_summary` dataset. + +An example event for `asset_vulnerability_summary` looks as following: + +```json +{ + "@timestamp": "2022-09-26T01:58:41.710Z", + "agent": { + "ephemeral_id": "818ffeea-8e73-497b-bc16-b13e6bb3010c", + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "carbon_black_cloud": { + "asset_vulnerability_summary": { + "last_sync": { + "timestamp": "2022-01-17T08:33:37.384Z" + }, + "os_info": { + "os_arch": "64-bit" + }, + "sync": { + "status": "COMPLETED", + "type": "SCHEDULED" + }, + "type": "ENDPOINT", + "vuln_count": 1770 + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.asset_vulnerability_summary", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "15b19080-249c-49a5-801a-edf25c28dcfe", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "agent_id_status": "verified", + "created": "2022-09-26T01:58:41.710Z", + "dataset": "carbon_black_cloud.asset_vulnerability_summary", + "ingested": "2022-09-26T01:58:45Z", + "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" + }, + "host": { + "hostname": "DESKTOP-008", + "id": "8", + "name": "DESKTOP-008KK", + "os": { + "name": "Microsoft Windows 10 Education", + "type": "windows", + "version": "10.0.17763" + } + }, + "input": { + "type": "httpjson" + }, + "related": { + "hosts": [ + "DESKTOP-008" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-asset-vulnerability-summary" + ], + "vulnerability": { + "score": { + "base": 10 + }, + "severity": "CRITICAL" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date | +| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword | +| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword | +| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword | +| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword | +| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | +| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | +| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | +| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/1.3.1/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.3.1/img/carbon_black_cloud-logo.svg new file mode 100755 index 0000000000..180cc3d212 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/img/carbon_black_cloud-logo.svg @@ -0,0 +1,91 @@ + + + + +Created by potrace 1.16, written by Peter Selinger 2001-2019 + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/carbon_black_cloud/1.3.1/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.3.1/img/carbon_black_cloud-screenshot.png new file mode 100755 index 0000000000..6fda3c108d Binary files /dev/null and b/packages/carbon_black_cloud/1.3.1/img/carbon_black_cloud-screenshot.png differ diff --git a/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json new file mode 100755 index 0000000000..4879b5460d --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json @@ -0,0 +1,158 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"panelRefName\":\"panel_c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"panelRefName\":\"panel_d3728fd5-5390-4448-8f26-277521569f30\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"panelRefName\":\"panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"panelRefName\":\"panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"panelRefName\":\"panel_909c2914-4695-42dd-aa36-93e043a5c025\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"panelRefName\":\"panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"panelRefName\":\"panel_9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"panelRefName\":\"panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"panelRefName\":\"panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"panelRefName\":\"panel_ed2de824-c493-4240-a6b5-329889c40c43\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"panelRefName\":\"panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"panelRefName\":\"panel_bf749130-3138-45fe-a010-5b30b4636e7b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"panelRefName\":\"panel_44ed553e-d5cc-4841-85e9-0d8af122086a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"panelRefName\":\"panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"panelRefName\":\"panel_42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"panelRefName\":\"panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"panelRefName\":\"panel_ef6af3c0-10e9-46af-933c-a032464bdecf\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"panelRefName\":\"panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"panelRefName\":\"panel_247ad399-6383-4bf0-910e-9cb6767781c3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"panelRefName\":\"panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"panelRefName\":\"panel_0a228399-6f69-4803-b4cd-65f30dca5890\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b015940-3fee-411a-be82-661078ead366\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"5b015940-3fee-411a-be82-661078ead366\",\"panelRefName\":\"panel_5b015940-3fee-411a-be82-661078ead366\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"panelRefName\":\"panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"panelRefName\":\"panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"panelRefName\":\"panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"panelRefName\":\"panel_bc34dc1a-ba27-489e-a950-90a978974351\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-1h", + "timeRestore": true, + "timeTo": "now", + "title": "[Carbon Black Cloud] Alert", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", + "name": "c54d9223-56ad-42b4-9452-a44657dbcd6e:panel_c54d9223-56ad-42b4-9452-a44657dbcd6e", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", + "name": "d3728fd5-5390-4448-8f26-277521569f30:panel_d3728fd5-5390-4448-8f26-277521569f30", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", + "name": "f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c:panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", + "name": "5f57acd4-74a8-4d97-9e7b-d7b069efc867:panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", + "name": "909c2914-4695-42dd-aa36-93e043a5c025:panel_909c2914-4695-42dd-aa36-93e043a5c025", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", + "name": "c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5:panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", + "name": "9e320d15-f9df-4aea-9564-ac1c4257b51b:panel_9e320d15-f9df-4aea-9564-ac1c4257b51b", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", + "name": "5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c:panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", + "name": "7da33ed3-29d9-4fe1-87a9-4debfc7bdd24:panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", + "name": "ed2de824-c493-4240-a6b5-329889c40c43:panel_ed2de824-c493-4240-a6b5-329889c40c43", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", + "name": "a6d4e61e-57bc-413a-8c68-5f55ab59e16a:panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", + "name": "bf749130-3138-45fe-a010-5b30b4636e7b:panel_bf749130-3138-45fe-a010-5b30b4636e7b", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", + "name": "44ed553e-d5cc-4841-85e9-0d8af122086a:panel_44ed553e-d5cc-4841-85e9-0d8af122086a", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", + "name": "cd3cb74e-b13e-4a52-a48c-82d13a59421a:panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", + "name": "42b64f1c-9526-4430-8f62-cc6596cf07d7:panel_42b64f1c-9526-4430-8f62-cc6596cf07d7", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", + "name": "b2fe20be-cad5-4bfa-abd1-c9b069fd2494:panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", + "name": "ef6af3c0-10e9-46af-933c-a032464bdecf:panel_ef6af3c0-10e9-46af-933c-a032464bdecf", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", + "name": "f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc:panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", + "name": "247ad399-6383-4bf0-910e-9cb6767781c3:panel_247ad399-6383-4bf0-910e-9cb6767781c3", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", + "name": "5c60fc1b-5ad1-4036-8adc-ce9adf455758:panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", + "name": "0a228399-6f69-4803-b4cd-65f30dca5890:panel_0a228399-6f69-4803-b4cd-65f30dca5890", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", + "name": "5b015940-3fee-411a-be82-661078ead366:panel_5b015940-3fee-411a-be82-661078ead366", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", + "name": "655bc1d2-5c31-4a38-9759-ab72f88bdb92:panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", + "name": "8cdf7cdc-1858-4561-9e3b-5b5c73498586:panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", + "name": "2d6c60e3-32cc-4746-bc7d-3fa40b80447c:panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", + "name": "bc34dc1a-ba27-489e-a950-90a978974351:panel_bc34dc1a-ba27-489e-a950-90a978974351", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..129cd1c62a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Carbon Black Cloud] Audit Logs", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", + "name": "panel_3", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..e3f216759c --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Carbon Black Cloud] Endpoint Event", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", + "name": "panel_13", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..ee0df3955b --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Carbon Black Cloud] Asset Vulnerability Summary", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", + "name": "panel_7", + "type": "search" + }, + { + "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", + "name": "panel_8", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..94761c84e1 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Carbon Black Cloud] Watchlist Hit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", + "name": "panel_11", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..fde5382f93 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "carbon_black_cloud.watchlist_hit.watchlists.name", + "process.command_line", + "process.parent.command_line", + "process.executable", + "process.parent.executable", + "carbon_black_cloud.watchlist_hit.ioc.id", + "carbon_black_cloud.watchlist_hit.ioc.hit" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Carbon Black Cloud] Watchlist Hit Essential Details" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..fdc104f3b2 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "columns": [ + "event.id", + "client.user.id", + "event.reason", + "client.ip" + ], + "description": "", + "grid": {}, + "hideChart": true, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Carbon Black Cloud] Audit Essential Details" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..800a5cb006 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "carbon_black_cloud.endpoint_event.type", + "process.command_line", + "process.parent.command_line", + "dll.path", + "carbon_black_cloud.endpoint_event.target_cmdline", + "process.executable", + "process.parent.executable" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Carbon Black Cloud] Endpoint Events Essential Details" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..1a37e59347 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "event.id", + "event.reason", + "event.url", + "carbon_black_cloud.alert.threat_indicators.process_name", + "carbon_black_cloud.alert.category" + ], + "description": "", + "grid": {}, + "hideChart": true, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Carbon Black Cloud] Alerts Essential Details" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..c060c3bd41 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "columns": [ + "host.hostname", + "vulnerability.severity", + "vulnerability.score.base", + "carbon_black_cloud.asset_vulnerability_summary.vuln_count" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..bf6bf9170c --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Process Publisher State", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..329118ed72 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..fb78529067 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Client IPs", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..edfb4ab922 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..e058315a1e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Actions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..e9926e3521 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..5c97a8d4eb --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Severity", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..8bb3adabfb --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..7bec55f465 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Child Process Username", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..e4b7fe64f8 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..6b1cb56ea0 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..c59f3f2623 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..0a01e78828 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..682f389163 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..7af6d5ad55 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 IOC Hits", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..1c116157a2 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Category", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..3ced47d3fe --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Process Publisher State", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..60cf2f819b --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..811d8c6112 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..e390c83ecc --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..02160d4bea --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Top 10 OS Names", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..6c64141f00 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Top 10 Hosts with Highest Vulnerability Count", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..630d474e6e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..228daf684c --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..1bd12c5d2e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Distribution of Asset Vulnerability Summary by Severity", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json new file mode 100755 index 0000000000..0919e5e20a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Threat Cause Actor Name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..0a3d26dad2 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Report Names", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..6e873422cb --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Top 10 Hosts with Highest Risk Score", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..48a0ff614a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..b549ad14a1 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Distribution of Asset Vulnerability Summary by Sync Type", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..116934a90e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json new file mode 100755 index 0000000000..ebce21d74d --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" + }, + "title": "Distribution of Asset Vulnerability Summary by Sync Status", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..5d57824451 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 IOC Hit", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..dd5f86134d --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..60669ee962 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..19ad6bf381 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..7992c14128 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Devices", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..ebcc102bf4 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Run State", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..bf3592d08f --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..1025e00226 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..c4ce665f33 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Device Username", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..7db345ec9b --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..37864260d1 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..cf20544145 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..dd2d0ee97a --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Process Usernames", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..bb4fb20b4b --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Device Names", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..3a76cb6cae --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..29d985b4d8 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..50933d86cc --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..bf02f82c2e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Policy Names", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..bfebab9f24 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Reason Codes", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json new file mode 100755 index 0000000000..85bf297c56 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..2ad0964cbb --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Request URLs", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..cb945df49b --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..fc1c6812f0 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..3c04444ca9 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Device External IP", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..a79db35e93 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json new file mode 100755 index 0000000000..84fedf340e --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Top 10 Process Username", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..1c30c4f320 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json new file mode 100755 index 0000000000..4a17555983 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" + }, + "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.3.1/manifest.yml b/packages/carbon_black_cloud/1.3.1/manifest.yml new file mode 100755 index 0000000000..6e169bdfa2 --- /dev/null +++ b/packages/carbon_black_cloud/1.3.1/manifest.yml @@ -0,0 +1,190 @@ +format_version: 1.0.0 +name: carbon_black_cloud +title: VMware Carbon Black Cloud +version: "1.3.1" +license: basic +description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. +type: integration +categories: + - security +release: ga +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/carbon_black_cloud-screenshot.png + title: Carbon Black Cloud alert dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/carbon_black_cloud-logo.svg + title: Carbon Black Cloud logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: carbon_black_cloud + title: Carbon Black Cloud + description: Collect Logs from Carbon Black Cloud + inputs: + - type: httpjson + title: Collect Carbon Black Cloud logs via API + description: Collect Carbon Black Cloud logs via API + vars: + - name: hostname + type: text + title: Hostname + description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). + required: true + - name: org_key + type: text + title: Organization Key + description: Organization Key. + required: true + - name: custom_api_id + type: text + title: Custom API ID + description: API ID with Custom Access Level type. + required: true + - name: custom_api_secret_key + type: password + title: Custom API Secret Key + description: API Secret Key with Custom Access Level type + required: true + - name: api_id + type: text + title: API ID + description: API ID with API Access Level type. + required: true + - name: api_secret_key + type: password + title: API Secret Key + description: API Secret Key with API Access Level type + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: aws-s3 + title: Collect Carbon Black Cloud logs via AWS S3 or AWS SQS + description: Collect Carbon Black Cloud logs via AWS S3 or AWS SQS. + vars: + - name: collect_s3_logs + required: true + show_user: true + title: Collect logs via S3 Bucket + description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. + type: bool + multi: false + default: false + - name: bucket_arn + type: text + title: "[S3] Bucket ARN" + multi: false + required: false + show_user: true + description: It is a required parameter for collecting logs via the AWS S3 Bucket. + - name: queue_url + type: text + title: "[SQS] Queue URL" + multi: false + required: false + show_user: true + description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. + - name: access_key_id + type: password + title: Access Key ID + multi: false + required: false + show_user: true + description: First part of access key. + - name: secret_access_key + type: password + title: Secret Access Key + multi: false + required: false + show_user: true + description: Second part of access key. + - name: session_token + type: text + title: Session Token + multi: false + required: false + show_user: true + description: Required when using temporary security credentials. + - name: shared_credential_file + type: text + title: Shared Credential File + multi: false + required: false + show_user: false + description: Directory of the shared credentials file. + - name: credential_profile_name + type: text + title: Credential Profile Name + multi: false + required: false + show_user: false + description: Profile name in shared credentials file. + - name: role_arn + type: text + title: Role ARN + multi: false + required: false + show_user: false + description: AWS IAM Role to assume. + - name: endpoint + type: text + title: Endpoint + multi: false + required: false + show_user: false + default: "" + description: URL of the entry point for an AWS web service. + - name: fips_enabled + type: bool + title: Enable S3 FIPS + default: false + multi: false + required: false + show_user: false + description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. +owner: + github: elastic/security-external-integrations diff --git a/packages/cef/2.3.4/LICENSE.txt b/packages/cef/2.3.4/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cef/2.3.4/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cef/2.3.4/changelog.yml b/packages/cef/2.3.4/changelog.yml new file mode 100755 index 0000000000..d31a419c52 --- /dev/null +++ b/packages/cef/2.3.4/changelog.yml @@ -0,0 +1,169 @@ +# newer versions go on top +- version: "2.3.4" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4399 +- version: "2.3.3" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "2.3.2" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.3.1" + changes: + - description: Remove unused visualizations + type: enhancement + link: https://github.com/elastic/integrations/issues/3975 +- version: "2.3.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3842 +- version: "2.2.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "2.2.0" + changes: + - description: Add generic CEF dashboards + type: enhancement + link: https://github.com/elastic/integrations/pull/3526 +- version: "2.1.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.0.3" + changes: + - description: Format source.mac and destination.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3566 +- version: "2.0.2" + changes: + - description: Improve field documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3465 +- version: "2.0.1" + changes: + - description: Clarify scope of dashboards + type: bugfix + link: https://github.com/elastic/integrations/pull/3470 +- version: "2.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3263 +- version: "1.5.0" + changes: + - description: Update to ECS 8.2 by modifying Check Point events to use the new email field set. + type: enhancement + link: https://github.com/elastic/integrations/pull/2804 +- version: "1.4.3" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.4.2" + changes: + - description: Add field mappings for several `event.*` fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/2808 +- version: "1.4.1" + changes: + - description: Append pipeline errors to error.message instead of overwriting existing errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/2789 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2386 +- version: "1.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.0" + changes: + - description: Change test IPs to the supported set for GeoIP + type: enhancement + link: https://github.com/elastic/integrations/pull/2216 + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2216 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1950 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1802 +- version: "1.2.0" + changes: + - description: Add CEF time zone config option. + type: enhancement + link: https://github.com/elastic/integrations/pull/1723 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1652 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1604 +- version: "0.5.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1469 +- version: '0.5.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1375 +- version: "0.5.0" + changes: + - description: Update documentation to fit mdx spec + type: enhancement + link: https://github.com/elastic/integrations/pull/1401 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1255 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options. + type: enhancement + link: https://github.com/elastic/integrations/pull/1032 +- version: "0.1.0" + changes: + - description: Change syslog input to udp input. Add syslog timestamp parsing to Ingest Node pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/898 +- version: "0.0.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/838 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/418 diff --git a/packages/cef/2.3.4/data_stream/log/agent/stream/log.yml.hbs b/packages/cef/2.3.4/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..c9f24092e8 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,27 @@ +paths: + {{#each paths as |path i|}} +- {{path}} + {{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if decode_cef_timezone}} + timezone: {{ decode_cef_timezone }} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/cef/2.3.4/data_stream/log/agent/stream/udp.yml.hbs b/packages/cef/2.3.4/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..4d71aa0234 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if decode_cef_timezone}} + timezone: {{ decode_cef_timezone }} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml new file mode 100755 index 0000000000..8a53e9b0c7 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml @@ -0,0 +1,380 @@ +--- +description: Pipeline for Check Point CEF + +processors: + # This script is mapping CEF extensions to ECS when possible. Otherwise + # it maps them to fields under the `checkpoint` group using Check Point log + # field names. + # + # [1] Description of Check Point CEF extensions: + # https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060 + # [2] Description of Check Point log field names (sk144192): + # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192 + # + # Note that in some cases the CEF extension name doesn't accurately describe + # its contents. For example sntdom/sourceNtDomain, which is used to store + # Check Point's domain_name, documented as "Domain name sent to DNS request". + # + # This script processes the `params.extensions` list below. This list consists + # of two different kinds of mappings, the simpler has a source ext `name` + # and a `to` field. It copies the given extension field to the target `to`. + # + # When the `labels` dict is defined, the target field depends on the value of + # the accompanying label field. For example, the field deviceCustomIPv6Address2 + # is mapped to `source.ip` only when the extension deviceCustomIPv6Address2Label + # exists and its value is "Source IPv6 Address". + # + # Also it can convert the destination value by simple mapping when the + # convert key exists. Values without an entry in the convert dict are not + # copied and the target field remains unset. + # + # The output of this processor is a single field, `_tmp_copy`, that contains + # a list of actions `{"to": "target_field", "value":"field value"}` that is + # later executed using a foreach processor. This is done to avoid complex + # de-dotting and other gotchas of setting arbitrary fields in Painless. + - script: + lang: painless + params: + extensions: + - name: cp_app_risk + to: checkpoint.app_risk + + - name: cp_app_risk + to: event.risk_score + # This mapping is a mix of [1] and [2] above. + convert: + unknown: 0 + informational: 0 + very-low: 1 + low: 2 + medium: 3 + high: 4 + very-high: 5 + critical: 5 + + - name: cp_severity + to: checkpoint.severity + + - name: cp_severity + to: event.severity + convert: + # This mapping is a mix of [1] and [2] above. + unknown: 0 + informational: 0 + very-low: 1 + low: 1 + medium: 2 + high: 3 + very-high: 4 + critical: 4 + + # Number of events associated with the log + - name: baseEventCount + to: checkpoint.event_count + + # Log type + - name: deviceExternalId + to: observer.type + + # Product Family (override deviceExternalId if present). + - name: deviceFacility + to: observer.type + convert: + '0': Network + '1': Endpoint + '2': Access + '3': Threat + '4': Mobile + + # Gateway interface, where the connection is received from in case of an outbound connection + - name: deviceInboundInterface + to: observer.ingress.interface.name + + # Gateway interface, where the connection is sent from, in case of an inbound connection + - name: deviceOutboundInterface + to: observer.egress.interface.name + + - name: externalId + to: checkpoint.uuid + + - name: fileHash + to: checkpoint.file_hash + + - name: reason + to: checkpoint.termination_reason + + # Possibly an IKE cookie + - name: requestCookies + to: checkpoint.cookie + + # Probably a typo in CP's CEF docs + - name: checkrequestCookies + to: checkpoint.cookie + + # Domain name sent to DNS request + - name: sourceNtDomain + to: dns.question.name + + # CVE registry entry + - name: Signature + to: vulnerability.id + + - name: Recipient + to: destination.user.email + + - name: Sender + to: source.user.email + + - name: deviceCustomFloatingPoint1 + labels: + update version: observer.version + + - name: deviceCustomIPv6Address2 + labels: + source ipv6 address: source.ip + + - name: deviceCustomIPv6Address3 + labels: + destination ipv6 address: destination.ip + + - name: deviceCustomNumber1 + labels: + payload: network.bytes + elapsed time in seconds: event.duration + email recipients number: checkpoint.email_recipients_num + + - name: deviceCustomNumber2 + labels: + duration in seconds: event.duration + icmp type: checkpoint.icmp_type + + - name: deviceCustomNumber3 + labels: + icmp code: checkpoint.icmp_code + + - name: deviceCustomString1 + labels: + application rule name: rule.name + dlp rule name: rule.name + threat prevention rule name: rule.name + connectivity state: checkpoint.connectivity_state + email id: checkpoint.email_id + voip log type: checkpoint.voip_log_type + + - name: deviceCustomString2 + labels: + # Protection malware id + protection id: checkpoint.protection_id + update status: checkpoint.update_status + email subject: checkpoint.email_subject + sensor mode: checkpoint.sensor_mode + scan invoke type: checkpoint.integrity_av_invoke_type + category: checkpoint.category + # Matched categories + categories: rule.category + peer gateway: checkpoint.peer_gateway + + - name: deviceCustomString6 + labels: + application name: network.application + virus name: checkpoint.virus_name + malware name: checkpoint.spyware_name + malware family: checkpoint.malware_family + + - name: deviceCustomString3 + labels: + user group: group.name + # Format of original data. + incident extension: checkpoint.incident_extension + identity type: checkpoint.identity_type + email spool id: checkpoint.email_spool_id + # Type of protection used to detect the attack + protection type: checkpoint.protection_type + + - name: deviceCustomString4 + labels: + malware status: checkpoint.spyware_status + destination os: os.name + scan result: checkpoint.scan_result + frequency: checkpoint.frequency + protection name: checkpoint.protection_name + user response: checkpoint.user_status + email control: checkpoint.email_control + tcp flags: checkpoint.tcp_flags + threat prevention rule id: rule.id + + - name: deviceCustomString5 + labels: + matched category: rule.category + authentication method: checkpoint.auth_method + email session id: checkpoint.email_session_id + vlan id: network.vlan.id + + - name: deviceCustomDate2 + labels: + subscription expiration: checkpoint.subs_exp + + - name: deviceFlexNumber1 + labels: + confidence: checkpoint.confidence_level + + - name: deviceFlexNumber2 + labels: + destination phone number: checkpoint.dst_phone_number + performance impact: checkpoint.performance_impact + + - name: flexString1 + labels: + application signature id: checkpoint.app_sig_id + + - name: flexString2 + labels: + malware action: rule.description + attack information: event.action + + - name: rule_uid + to: rule.uuid + + - name: ifname + to: observer.ingress.interface.name + + - name: inzone + to: observer.ingress.zone + + - name: outzone + to: observer.egress.zone + + - name: product + to: observer.product + + source: | + def actions = new ArrayList(); + def exts = ctx.cef?.extensions; + if (exts == null) return; + for (entry in params.extensions) { + def value = exts[entry.name]; + if (value == null || + (entry.convert != null && + (value=entry.convert[value.toLowerCase()]) == null)) + continue; + if (entry.to != null) { + actions.add([ + "value": value, + "to": entry.to + ]); + continue; + } + def label = exts[entry.name + "Label"]; + if (label == null) continue; + def dest = entry.labels[label.toLowerCase()]; + if (dest == null) continue; + actions.add([ + "value": value, + "to": dest + ]); + } + ctx["_tmp_copy"] = actions; + + - foreach: + field: _tmp_copy + processor: + set: + field: "{{_ingest._value.to}}" + value: "{{_ingest._value.value}}" + + - remove: + field: _tmp_copy + + - set: + field: email.to.address + value: ["{{{destination.user.email}}}"] + if: "ctx?.destination?.user?.email != null" + - set: + field: email.from.address + value: ["{{{source.user.email}}}"] + if: "ctx?.source?.user?.email != null" + - set: + field: email.subject + copy_from: checkpoint.email_subject + if: "ctx?.checkpoint?.email_subject != null" + - set: + field: email.message_id + copy_from: checkpoint.email_session_id + if: "ctx?.checkpoint?.email_session_id != null" + - convert: + field: event.risk_score + type: float + ignore_missing: true + on_failure: + - remove: + field: event.risk_score + - convert: + field: event.severity + type: long + ignore_missing: true + on_failure: + - remove: + field: event.severity + + # event.duration is a string and contains seconds. Convert to long nanos. + - script: + params: + second_to_nanos: 1000000000 + lang: painless + source: | + def duration = ctx.event?.duration; + if (duration == null) return; + ctx.event.duration = Long.parseLong(duration) * params.second_to_nanos; + on_failure: + - remove: + field: event.duration + ignore_missing: true + + # checkpoint.file_hash can be either MD5, SHA1 or SHA256. + - rename: + field: checkpoint.file_hash + target_field: file.hash.md5 + if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha1 + if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40' + - rename: + field: checkpoint.file_hash + target_field: file.hash.sha256 + if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64' + + # Event kind is 'event' by default. 'alert' when a risk score and rule info + # is present. + - set: + field: event.kind + value: event + - set: + field: event.kind + value: alert + if: 'ctx.cef?.extensions?.cp_app_risk != null && ctx.rule != null' + + # Set event.category to network/malware/intrusion_detection depending on which + # fields have been populated. + - set: + field: event.category + value: network + if: 'ctx.source?.ip != null && ctx.destination?.ip != null' + - set: + field: event.category + value: malware + if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null' + - set: + field: event.category + value: intrusion_detection + if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")' + + - convert: + field: checkpoint.event_count + type: long + ignore_missing: true + - convert: + field: cef.extensions.baseEventCount + type: long + ignore_missing: true + diff --git a/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..01c4ed82c6 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,177 @@ +--- +description: Pipeline for CEF logs. CEF decoding happens in the Agent. This performs additional enrichment and vendor specific transformations. + +processors: + - set: + field: ecs.version + value: '8.4.0' + + - convert: + field: event.id + type: string + ignore_missing: true + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hash + value: "{{cef.extensions.fileHash}}" + allow_duplicates: false + if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" + - append: + field: related.hash + value: "{{cef.extensions.oldFileHash}}" + allow_duplicates: false + if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" + - append: + field: related.ip + value: "{{destination.nat.ip}}" + allow_duplicates: false + if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" + - append: + field: related.ip + value: "{{source.nat.ip}}" + allow_duplicates: false + if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" + - append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx?.destination?.user?.name != null" + - append: + field: related.user + value: "{{source.user.name}}" + allow_duplicates: false + if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" + - append: + field: related.hosts + value: "{{observer.hostname}}" + allow_duplicates: false + if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" + - pipeline: + name: '{{ IngestPipeline "fp-pipeline" }}' + if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" + - pipeline: + name: '{{ IngestPipeline "cp-pipeline" }}' + if: "ctx.cef?.device?.vendor == 'Check Point'" + - community_id: {} + + # Ensure source.mac and destination.mac are formatted to ECS specifications. + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:.]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:.]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + + # + # Timestamp parsing. + # + - grok: + # decode_cef sets @timestamp when deviceReceiptTime is provided. + description: Extract timestamp from log header when deviceReceiptTime not given. + if: ctx?.cef?.extensions?.deviceReceiptTime == null + field: event.original + patterns: + - '^%{SYSLOG_TIMESTAMP} ' + - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} ' # RFC3164 + - '^%{ECS_SYSLOG_PRI}%{NONNEGINT} %{SYSLOG_TIMESTAMP} ' # RFC5224 + pattern_definitions: + ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' + ignore_failure: true + - date: + if: ctx?._tmp?.timestamp8601 != null + field: _tmp.timestamp8601 + formats: + - ISO8601 + - date: + if: ctx?._tmp?.timestamp != null + field: _tmp.timestamp + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - remove: + field: + - _tmp + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + + # Cleanup + - remove: + field: + - cef.extensions._cefVer + ignore_missing: true + +on_failure: + - remove: + field: + - _tmp + ignore_failure: true + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml new file mode 100755 index 0000000000..f87d217328 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for Forcepoint CEF + +processors: + # cs1 is ruleID + - set: + field: rule.id + value: "{{cef.extensions.deviceCustomString1}}" + ignore_empty_value: true + + # cs2 is natRuleID + - set: + field: rule.id + value: "{{cef.extensions.deviceCustomString2}}" + ignore_empty_value: true + + # cs3 is VulnerabilityReference + - set: + field: vulnerability.reference + value: "{{cef.extensions.deviceCustomString3}}" + ignore_empty_value: true + + # cs4 is virusID + - set: + field: cef.forcepoint.virus_id + value: "{{cef.extensions.deviceCustomString4}}" + ignore_empty_value: true diff --git a/packages/cef/2.3.4/data_stream/log/fields/agent.yml b/packages/cef/2.3.4/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..d03a5f0211 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cef/2.3.4/data_stream/log/fields/base-fields.yml b/packages/cef/2.3.4/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..88e15e9046 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cef +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cef.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cef/2.3.4/data_stream/log/fields/ecs.yml b/packages/cef/2.3.4/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..92436bf957 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/fields/ecs.yml @@ -0,0 +1,389 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: Unique identifier for the group on the system/platform. + name: destination.user.group.id + type: keyword +- description: Name of the group. + name: destination.user.group.name + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + normalize: + - array + type: keyword +- description: The email address of recipient + name: email.to.address + normalize: + - array + type: keyword +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: Unique identifier for the group on the system/platform. + name: source.user.group.id + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long diff --git a/packages/cef/2.3.4/data_stream/log/fields/fields.yml b/packages/cef/2.3.4/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..7f14123cc3 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/fields/fields.yml @@ -0,0 +1,593 @@ +- name: cef.name + type: keyword +- name: cef.severity + type: keyword +- name: cef.version + type: keyword +- name: destination.service.name + type: keyword +- name: source.service.name + type: keyword +- name: cef.forcepoint + type: group + fields: + - name: virus_id + type: keyword + description: | + Virus ID +- name: checkpoint + type: group + fields: + - name: app_risk + type: keyword + description: Application risk. + - name: app_severity + type: keyword + description: Application threat severity. + - name: app_sig_id + type: keyword + description: The signature ID which the application was detected by. + - name: auth_method + type: keyword + description: Password authentication protocol used. + - name: category + type: keyword + description: Category. + - name: confidence_level + type: integer + description: Confidence level determined. + - name: connectivity_state + type: keyword + description: Connectivity state. + - name: cookie + type: keyword + description: IKE cookie. + - name: dst_phone_number + type: keyword + description: Destination IP-Phone. + - name: email_control + type: keyword + description: Engine name. + - name: email_id + type: keyword + description: Internal email ID. + - name: email_recipients_num + type: long + description: Number of recipients. + - name: email_session_id + type: keyword + description: Internal email session ID. + - name: email_spool_id + type: keyword + description: Internal email spool ID. + - name: email_subject + type: keyword + description: Email subject. + - name: event_count + type: long + description: Number of events associated with the log. + - name: frequency + type: keyword + description: Scan frequency. + - name: icmp_type + type: long + description: ICMP type. + - name: icmp_code + type: long + description: ICMP code. + - name: identity_type + type: keyword + description: Identity type. + - name: incident_extension + type: keyword + description: Format of original data. + - name: integrity_av_invoke_type + type: keyword + description: Scan invoke type. + - name: malware_family + type: keyword + description: Malware family. + - name: peer_gateway + type: ip + description: Main IP of the peer Security Gateway. + - name: performance_impact + type: integer + description: Protection performance impact. + - name: protection_id + type: keyword + description: Protection malware ID. + - name: protection_name + type: keyword + description: Specific signature name of the attack. + - name: protection_type + type: keyword + description: Type of protection used to detect the attack. + - name: scan_result + type: keyword + description: Scan result. + - name: sensor_mode + type: keyword + description: Sensor mode. + - name: severity + type: keyword + description: Threat severity. + - name: spyware_name + type: keyword + description: Spyware name. + - name: spyware_status + type: keyword + description: Spyware status. + - name: subs_exp + type: date + description: The expiration date of the subscription. + - name: tcp_flags + type: keyword + description: TCP packet flags. + - name: termination_reason + type: keyword + description: Termination reason. + - name: update_status + type: keyword + description: Update status. + - name: user_status + type: keyword + description: User response. + - name: uuid + type: keyword + description: External ID. + - name: virus_name + type: keyword + description: Virus name. + - name: voip_log_type + type: keyword + description: VoIP log types. +- name: cef.device + type: group + fields: + - name: event_class_id + type: keyword + description: Unique identifier of the event type. + - name: product + type: keyword + description: Product of the device that produced the message. + - name: vendor + type: keyword + description: Vendor of the device that produced the message. + - name: version + type: keyword + description: Version of the product that produced the message. +- name: cef.extensions + type: group + fields: + - name: agentAddress + type: ip + description: The IP address of the ArcSight connector that processed the event. + - name: agentHostName + type: keyword + description: The hostname of the ArcSight connector that processed the event. + - name: agentId + type: keyword + description: The agent ID of the ArcSight connector that processed the event. + - name: agentReceiptTime + type: date + description: The time at which information about the event was received by the ArcSight connector. + - name: agentTimeZone + type: keyword + description: The agent time zone of the ArcSight connector that processed the event. + - name: agentType + type: keyword + description: The agent type of the ArcSight connector that processed the event. + - name: destinationHostName + type: keyword + description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. + - name: deviceTimeZone + type: keyword + description: The time zone for the device generating the event. + - name: requestUrlFileName + type: keyword + - name: startTime + type: date + description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). + - name: type + type: long + description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). + - name: agentVersion + type: keyword + description: The version of the ArcSight connector that processed the event. + - name: agentZoneURI + type: keyword + - name: deviceSeverity + type: keyword + - name: deviceZoneURI + type: keyword + description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. + - name: fileType + type: keyword + description: Type of file (pipe, socket, etc.) + - name: filename + type: keyword + description: Name of the file only (without its path). + - name: managerReceiptTime + type: date + description: When the Arcsight ESM received the event. + - name: agentMacAddress + type: keyword + description: The MAC address of the ArcSight connector that processed the event. + - name: deviceProcessName + type: keyword + description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. + - name: baseEventCount + type: long + description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. + - name: dvc + type: ip + description: This field is used by Trend Micro if the hostname is an IPv4 address. + - name: dvchost + type: keyword + description: This field is used by Trend Micro for hostnames and IPv6 addresses. + - name: cp_app_risk + type: keyword + - name: cp_severity + type: keyword + - name: ifname + type: keyword + - name: inzone + type: keyword + - name: layer_uuid + type: keyword + - name: layer_name + type: keyword + - name: logid + type: keyword + - name: loguid + type: keyword + - name: match_id + type: keyword + - name: nat_addtnl_rulenum + type: keyword + - name: nat_rulenum + type: keyword + - name: origin + type: keyword + - name: originsicname + type: keyword + - name: outzone + type: keyword + - name: parent_rule + type: keyword + - name: product + type: keyword + - name: rule_action + type: keyword + - name: rule_uid + type: keyword + - name: sequencenum + type: keyword + - name: service_id + type: keyword + - name: version + type: keyword + - name: applicationProtocol + type: keyword + description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. + - name: categoryDeviceGroup + type: keyword + description: General device group like Firewall (ArcSight). + - name: categoryTechnique + type: keyword + description: Technique being used (e.g. /DoS) (ArcSight). + - name: deviceEventCategory + type: keyword + description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". + - name: sourceNtDomain + type: keyword + description: The Windows domain name for the source address. + - name: destinationNtDomain + type: keyword + description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). + - name: categoryOutcome + type: keyword + description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). + - name: categorySignificance + type: keyword + description: Characterization of the importance of the event (ArcSight). + - name: categoryObject + type: keyword + description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). + - name: categoryBehavior + type: keyword + description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight). + - name: categoryDeviceType + type: keyword + description: Device type. Examples - Proxy, IDS, Web Server (ArcSight). + - name: bytesIn + type: long + description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. + - name: bytesOut + type: long + description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. + - name: destinationAddress + type: ip + description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. + - name: destinationPort + type: long + description: The valid port numbers are between 0 and 65535. + - name: destinationServiceName + type: keyword + description: The service targeted by this event. + - name: destinationTranslatedAddress + type: ip + description: Identifies the translated destination that the event refers to in an IP network. + - name: destinationTranslatedPort + type: long + description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. + - name: destinationUserName + type: keyword + description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. + - name: destinationUserPrivileges + type: keyword + description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". + - name: deviceAction + type: keyword + description: Action taken by the device. + - name: deviceAddress + type: ip + description: Identifies the device address that an event refers to in an IP network. + - name: deviceCustomDate2 + type: keyword + description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomDate2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomNumber1 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomNumber1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomNumber2 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomNumber2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomNumber3 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomNumber3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString1 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString2 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString3 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString4 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString5 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString5Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString6 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString6Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceDirection + type: long + description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. + - name: deviceExternalId + type: keyword + description: A name that uniquely identifies the device generating this event. + - name: deviceFacility + type: keyword + description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. + - name: deviceHostName + type: keyword + description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. + - name: deviceOutboundInterface + type: keyword + description: Interface on which the packet or data left the device. + - name: deviceReceiptTime + type: keyword + description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) + - name: eventId + type: long + description: This is a unique ID that ArcSight assigns to each event. + - name: fileHash + type: keyword + description: Hash of a file. + - name: message + type: keyword + description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. + - name: oldFileHash + type: keyword + description: Hash of the old file. + - name: requestContext + type: keyword + description: Description of the content from which the request originated (for example, HTTP Referrer). + - name: requestMethod + type: keyword + description: The HTTP method used to access a URL. + - name: requestUrl + type: keyword + description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. + - name: method + type: keyword + description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + - name: sourceAddress + type: ip + description: Identifies the source that an event refers to in an IP network. + - name: sourceGeoLatitude + type: long + - name: sourceGeoLongitude + type: long + - name: sourcePort + type: long + description: The valid port numbers are 0 to 65535. + - name: sourceServiceName + type: keyword + description: The service that is responsible for generating this event. + - name: sourceTranslatedAddress + type: ip + description: Identifies the translated source that the event refers to in an IP network. + - name: sourceTranslatedPort + type: long + description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. + - name: sourceUserName + type: keyword + description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. + - name: sourceUserPrivileges + type: keyword + description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". + - name: transportProtocol + type: keyword + description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. + - name: ad + type: flattened + - name: TrendMicroDsDetectionConfidence + type: keyword + - name: TrendMicroDsFileMD5 + type: keyword + - name: TrendMicroDsFileSHA1 + type: keyword + - name: TrendMicroDsFileSHA256 + type: keyword + - name: TrendMicroDsFrameType + type: keyword + - name: TrendMicroDsMalwareTarget + type: keyword + - name: TrendMicroDsMalwareTargetType + type: keyword + - name: TrendMicroDsPacketData + type: keyword + - name: TrendMicroDsRelevantDetectionNames + type: keyword + - name: TrendMicroDsTenant + type: keyword + - name: TrendMicroDsTenantId + type: keyword + - name: assetCriticality + type: keyword + - name: deviceAssetId + type: keyword + - name: deviceCustomIPv6Address1 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomIPv6Address2 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomIPv6Address3 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomIPv6Address4 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceInboundInterface + type: keyword + description: Interface on which the packet or data entered the device. + - name: deviceZoneID + type: keyword + - name: eventAnnotationAuditTrail + type: keyword + - name: eventAnnotationEndTime + type: date + - name: eventAnnotationFlags + type: keyword + - name: eventAnnotationManagerReceiptTime + type: date + - name: eventAnnotationModificationTime + type: date + - name: eventAnnotationStageUpdateTime + type: date + - name: eventAnnotationVersion + type: keyword + - name: locality + type: keyword + - name: modelConfidence + type: keyword + - name: originalAgentAddress + type: keyword + - name: originalAgentHostName + type: keyword + - name: originalAgentId + type: keyword + - name: originalAgentType + type: keyword + - name: originalAgentVersion + type: keyword + - name: originalAgentZoneURI + type: keyword + - name: priority + type: keyword + - name: relevance + type: keyword + - name: severity + type: keyword + - name: sourceTranslatedZoneID + type: keyword + - name: sourceTranslatedZoneURI + type: keyword + description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. + - name: sourceZoneID + type: keyword + description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. + - name: sourceZoneURI + type: keyword + description: The URI for the Zone that the source asset has been assigned to in ArcSight. + - name: aggregationType + type: keyword + - name: destinationMacAddress + type: keyword + description: Six colon-separated hexadecimal numbers. + - name: filePath + type: keyword + description: Full path to the file, including file name itself. + - name: fileSize + type: long + description: Size of the file. + - name: repeatCount + type: keyword + - name: sourceHostName + type: keyword + description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. + - name: sourceMacAddress + type: keyword + description: Six colon-separated hexadecimal numbers. + - name: sourceUserId + type: keyword + description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. + - name: target + type: keyword diff --git a/packages/cef/2.3.4/data_stream/log/manifest.yml b/packages/cef/2.3.4/data_stream/log/manifest.yml new file mode 100755 index 0000000000..8383dac3ad --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/manifest.yml @@ -0,0 +1,104 @@ +type: logs +title: CEF log logs +streams: + - input: logfile + template_path: log.yml.hbs + title: CEF logs + description: Collect CEF logs using log input + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cef.log + - name: decode_cef_timezone + type: text + title: CEF Timezone + multi: false + required: false + show_user: false + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. + - name: tags + type: text + title: Tags + description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. + multi: true + required: true + show_user: false + default: + - cef + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: udp + template_path: udp.yml.hbs + title: CEF logs + description: Collect CEF logs using udp input + vars: + - name: syslog_host + type: text + title: Syslog Host + description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + description: The UDP port to listen for syslog traffic. + multi: false + required: true + show_user: true + default: 9003 + - name: decode_cef_timezone + type: text + title: CEF Timezone + multi: false + required: false + show_user: false + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. + - name: tags + type: text + title: Tags + description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. + multi: true + required: true + show_user: false + default: + - cef + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cef/2.3.4/data_stream/log/sample_event.json b/packages/cef/2.3.4/data_stream/log/sample_event.json new file mode 100755 index 0000000000..aa4da19638 --- /dev/null +++ b/packages/cef/2.3.4/data_stream/log/sample_event.json @@ -0,0 +1,122 @@ +{ + "@timestamp": "2022-06-03T01:39:47.734Z", + "agent": { + "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", + "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "cef": { + "device": { + "event_class_id": "18", + "product": "Vaporware", + "vendor": "Elastic", + "version": "1.0.0-alpha" + }, + "extensions": { + "destinationAddress": "192.168.10.1", + "destinationPort": 443, + "eventId": 3457, + "requestContext": "https://www.google.com", + "requestMethod": "POST", + "requestUrl": "https://www.example.com/cart", + "sourceAddress": "89.160.20.156", + "sourceGeoLatitude": 38.915, + "sourceGeoLongitude": -77.511, + "sourcePort": 33876, + "sourceServiceName": "httpd", + "transportProtocol": "TCP" + }, + "name": "Web request", + "severity": "low", + "version": "0" + }, + "data_stream": { + "dataset": "cef.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "192.168.10.1", + "port": 443 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "code": "18", + "dataset": "cef.log", + "id": "3457", + "ingested": "2022-06-03T01:39:48Z", + "severity": 0 + }, + "http": { + "request": { + "method": "POST", + "referrer": "https://www.google.com" + } + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.112.4:35889" + } + }, + "message": "Web request", + "network": { + "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", + "transport": "tcp" + }, + "observer": { + "product": "Vaporware", + "vendor": "Elastic", + "version": "1.0.0-alpha" + }, + "related": { + "ip": [ + "192.168.10.1", + "89.160.20.156" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 33876, + "service": { + "name": "httpd" + } + }, + "tags": [ + "cef", + "forwarded" + ], + "url": { + "original": "https://www.example.com/cart" + } +} \ No newline at end of file diff --git a/packages/cef/2.3.4/docs/README.md b/packages/cef/2.3.4/docs/README.md new file mode 100755 index 0000000000..537e54c938 --- /dev/null +++ b/packages/cef/2.3.4/docs/README.md @@ -0,0 +1,617 @@ +# Common Event Format (CEF) Integration + +This is an integration for parsing Common Event Format (CEF) data. It can accept +data over syslog or read it from a file. + +CEF data is a format like + +`CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` + +When syslog is used as the transport the CEF data becomes the message that is +contained in the syslog envelope. This integration will parse the syslog +timestamp if it is present. Depending on the syslog RFC used the message will +have a format like one of these: + +`<189> Jun 18 10:55:50 host CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` + +`<189>1 2021-06-18T10:55:50.000003Z host app - - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello` + +In both cases the integration will use the syslog timestamp as the `@timestamp` +unless the CEF data contains a device receipt timestamp. + +The Elastic Agent's `decode_cef` processor is applied to parse the CEF encoded +data. The decoded data is written into a `cef` object field. Lastly any Elastic +Common Schema (ECS) fields that can be populated with the CEF data are +populated. + +## Compatibility + +### Forcepoint NGFW Security Management Center + +This module will process CEF data from Forcepoint NGFW Security Management +Center (SMC). In the SMC configure the logs to be forwarded to the address set +in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`. +Instructions can be found in [KB +15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring +the SMC. + +Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings +were taken from 'CEF Connector Configuration Guide' dated December 5, 2011. + +### Check Point devices + +This module will parse CEF data from Check Point devices as documented in [Log +Exporter CEF Field +Mappings](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060). + +Check Point CEF extensions are mapped as follows: + + +| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field | +|----------------------------|-----------------------------|--------------------------|--------------------------------| +| cp_app_risk | - | event.risk_score | checkpoint.app_risk | +| cp_severity | - | event.severity | checkpoint.severity | +| baseEventCount | - | - | checkpoint.event_count | +| deviceExternalId | - | observer.type | - | +| deviceFacility | - | observer.type | - | +| deviceInboundInterface | - | observer.ingress.interface.name | - | +| deviceOutboundInterface | - | observer.egress.interface.name | - | +| externalId | - | - | checkpoint.uuid | +| fileHash | - | file.hash.\{md5,sha1\} | - | +| reason | - | - | checkpoint.termination_reason | +| requestCookies | - | - | checkpoint.cookie | +| sourceNtDomain | - | dns.question.name | - | +| Signature | - | vulnerability.id | - | +| Recipient | - | email.to.address | - | +| Sender | - | email.from.address | - | +| deviceCustomFloatingPoint1 | update version | observer.version | - | +| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - | +| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - | +| deviceCustomNumber1 | elapsed time in seconds | event.duration | - | +| deviceCustomNumber1 | email recipients number | - | checkpoint.email_recipients_num | +| deviceCustomNumber1 | payload | network.bytes | - | +| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type | +| deviceCustomNumber2 | duration in seconds | event.duration | - | +| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code | +| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state | +| deviceCustomString1 | application rule name | rule.name | - | +| deviceCustomString1 | threat prevention rule name | rule.name | - | +| deviceCustomString1 | voip log type | - | checkpoint.voip_log_type | +| deviceCustomString1 | dlp rule name | rule.name | - | +| deviceCustomString1 | email id | - | checkpoint.email_id | +| deviceCustomString2 | category | - | checkpoint.category | +| deviceCustomString2 | email subject | email.subject | checkpoint.email_subject | +| deviceCustomString2 | sensor mode | - | checkpoint.sensor_mode | +| deviceCustomString2 | protection id | - | checkpoint.protection_id | +| deviceCustomString2 | scan invoke type | - | checkpoint.integrity_av_invoke_type | +| deviceCustomString2 | update status | - | checkpoint.update_status | +| deviceCustomString2 | peer gateway | - | checkpoint.peer_gateway | +| deviceCustomString2 | categories | rule.category | - | +| deviceCustomString6 | application name | network.application | - | +| deviceCustomString6 | virus name | - | checkpoint.virus_name | +| deviceCustomString6 | malware name | - | checkpoint.spyware_name | +| deviceCustomString6 | malware family | - | checkpoint.malware_family | +| deviceCustomString3 | user group | group.name | - | +| deviceCustomString3 | incident extension | - | checkpoint.incident_extension | +| deviceCustomString3 | protection type | - | checkpoint.protection_type | +| deviceCustomString3 | email spool id | - | checkpoint.email_spool_id | +| deviceCustomString3 | identity type | - | checkpoint.identity_type | +| deviceCustomString4 | malware status | - | checkpoint.spyware_status | +| deviceCustomString4 | threat prevention rule id | rule.id | - | +| deviceCustomString4 | scan result | - | checkpoint.scan_result | +| deviceCustomString4 | tcp flags | - | checkpoint.tcp_flags | +| deviceCustomString4 | destination os | os.name | - | +| deviceCustomString4 | protection name | - | checkpoint.protection_name | +| deviceCustomString4 | email control | - | checkpoint.email_control | +| deviceCustomString4 | frequency | - | checkpoint.frequency | +| deviceCustomString4 | user response | - | checkpoint.user_status | +| deviceCustomString5 | matched category | rule.category | - | +| deviceCustomString5 | vlan id | network.vlan.id | - | +| deviceCustomString5 | authentication method | - | checkpoint.auth_method | +| deviceCustomString5 | email session id | email.message_id | checkpoint.email_session_id | +| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp | +| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level | +| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact | +| deviceFlexNumber2 | destination phone number | - | checkpoint.dst_phone_number | +| flexString1 | application signature id | - | checkpoint.app_sig_id | +| flexString2 | malware action | rule.description | - | +| flexString2 | attack information | event.action | - | +| rule_uid | - | rule.uuid | - | +| ifname | - | observer.ingress.interface.name | - | +| inzone | - | observer.ingress.zone | - | +| outzone | - | observer.egress.zone | - | +| product | - | observer.product | - | + +## Logs + +### CEF log + +This is the CEF `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-06-03T01:39:47.734Z", + "agent": { + "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf", + "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "cef": { + "device": { + "event_class_id": "18", + "product": "Vaporware", + "vendor": "Elastic", + "version": "1.0.0-alpha" + }, + "extensions": { + "destinationAddress": "192.168.10.1", + "destinationPort": 443, + "eventId": 3457, + "requestContext": "https://www.google.com", + "requestMethod": "POST", + "requestUrl": "https://www.example.com/cart", + "sourceAddress": "89.160.20.156", + "sourceGeoLatitude": 38.915, + "sourceGeoLongitude": -77.511, + "sourcePort": 33876, + "sourceServiceName": "httpd", + "transportProtocol": "TCP" + }, + "name": "Web request", + "severity": "low", + "version": "0" + }, + "data_stream": { + "dataset": "cef.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "192.168.10.1", + "port": 443 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "code": "18", + "dataset": "cef.log", + "id": "3457", + "ingested": "2022-06-03T01:39:48Z", + "severity": 0 + }, + "http": { + "request": { + "method": "POST", + "referrer": "https://www.google.com" + } + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.112.4:35889" + } + }, + "message": "Web request", + "network": { + "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=", + "transport": "tcp" + }, + "observer": { + "product": "Vaporware", + "vendor": "Elastic", + "version": "1.0.0-alpha" + }, + "related": { + "ip": [ + "192.168.10.1", + "89.160.20.156" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 33876, + "service": { + "name": "httpd" + } + }, + "tags": [ + "cef", + "forwarded" + ], + "url": { + "original": "https://www.example.com/cart" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cef.device.event_class_id | Unique identifier of the event type. | keyword | +| cef.device.product | Product of the device that produced the message. | keyword | +| cef.device.vendor | Vendor of the device that produced the message. | keyword | +| cef.device.version | Version of the product that produced the message. | keyword | +| cef.extensions.TrendMicroDsDetectionConfidence | | keyword | +| cef.extensions.TrendMicroDsFileMD5 | | keyword | +| cef.extensions.TrendMicroDsFileSHA1 | | keyword | +| cef.extensions.TrendMicroDsFileSHA256 | | keyword | +| cef.extensions.TrendMicroDsFrameType | | keyword | +| cef.extensions.TrendMicroDsMalwareTarget | | keyword | +| cef.extensions.TrendMicroDsMalwareTargetType | | keyword | +| cef.extensions.TrendMicroDsPacketData | | keyword | +| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword | +| cef.extensions.TrendMicroDsTenant | | keyword | +| cef.extensions.TrendMicroDsTenantId | | keyword | +| cef.extensions.ad | | flattened | +| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip | +| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date | +| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentZoneURI | | keyword | +| cef.extensions.aggregationType | | keyword | +| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword | +| cef.extensions.assetCriticality | | keyword | +| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | long | +| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long | +| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long | +| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword | +| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword | +| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword | +| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword | +| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | +| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword | +| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword | +| cef.extensions.cp_app_risk | | keyword | +| cef.extensions.cp_severity | | keyword | +| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip | +| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword | +| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword | +| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | +| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long | +| cef.extensions.destinationServiceName | The service targeted by this event. | keyword | +| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip | +| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long | +| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword | +| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword | +| cef.extensions.deviceAction | Action taken by the device. | keyword | +| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip | +| cef.extensions.deviceAssetId | | keyword | +| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | +| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | +| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | +| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | +| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long | +| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword | +| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword | +| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword | +| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword | +| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword | +| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword | +| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword | +| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword | +| cef.extensions.deviceSeverity | | keyword | +| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword | +| cef.extensions.deviceZoneID | | keyword | +| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword | +| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip | +| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword | +| cef.extensions.eventAnnotationAuditTrail | | keyword | +| cef.extensions.eventAnnotationEndTime | | date | +| cef.extensions.eventAnnotationFlags | | keyword | +| cef.extensions.eventAnnotationManagerReceiptTime | | date | +| cef.extensions.eventAnnotationModificationTime | | date | +| cef.extensions.eventAnnotationStageUpdateTime | | date | +| cef.extensions.eventAnnotationVersion | | keyword | +| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long | +| cef.extensions.fileHash | Hash of a file. | keyword | +| cef.extensions.filePath | Full path to the file, including file name itself. | keyword | +| cef.extensions.fileSize | Size of the file. | long | +| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword | +| cef.extensions.filename | Name of the file only (without its path). | keyword | +| cef.extensions.ifname | | keyword | +| cef.extensions.inzone | | keyword | +| cef.extensions.layer_name | | keyword | +| cef.extensions.layer_uuid | | keyword | +| cef.extensions.locality | | keyword | +| cef.extensions.logid | | keyword | +| cef.extensions.loguid | | keyword | +| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date | +| cef.extensions.match_id | | keyword | +| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword | +| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| cef.extensions.modelConfidence | | keyword | +| cef.extensions.nat_addtnl_rulenum | | keyword | +| cef.extensions.nat_rulenum | | keyword | +| cef.extensions.oldFileHash | Hash of the old file. | keyword | +| cef.extensions.origin | | keyword | +| cef.extensions.originalAgentAddress | | keyword | +| cef.extensions.originalAgentHostName | | keyword | +| cef.extensions.originalAgentId | | keyword | +| cef.extensions.originalAgentType | | keyword | +| cef.extensions.originalAgentVersion | | keyword | +| cef.extensions.originalAgentZoneURI | | keyword | +| cef.extensions.originsicname | | keyword | +| cef.extensions.outzone | | keyword | +| cef.extensions.parent_rule | | keyword | +| cef.extensions.priority | | keyword | +| cef.extensions.product | | keyword | +| cef.extensions.relevance | | keyword | +| cef.extensions.repeatCount | | keyword | +| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword | +| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword | +| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword | +| cef.extensions.requestUrlFileName | | keyword | +| cef.extensions.rule_action | | keyword | +| cef.extensions.rule_uid | | keyword | +| cef.extensions.sequencenum | | keyword | +| cef.extensions.service_id | | keyword | +| cef.extensions.severity | | keyword | +| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip | +| cef.extensions.sourceGeoLatitude | | long | +| cef.extensions.sourceGeoLongitude | | long | +| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword | +| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword | +| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword | +| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long | +| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword | +| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip | +| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long | +| cef.extensions.sourceTranslatedZoneID | | keyword | +| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword | +| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | +| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword | +| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword | +| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | +| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword | +| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date | +| cef.extensions.target | | keyword | +| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword | +| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long | +| cef.extensions.version | | keyword | +| cef.forcepoint.virus_id | Virus ID | keyword | +| cef.name | | keyword | +| cef.severity | | keyword | +| cef.version | | keyword | +| checkpoint.app_risk | Application risk. | keyword | +| checkpoint.app_severity | Application threat severity. | keyword | +| checkpoint.app_sig_id | The signature ID which the application was detected by. | keyword | +| checkpoint.auth_method | Password authentication protocol used. | keyword | +| checkpoint.category | Category. | keyword | +| checkpoint.confidence_level | Confidence level determined. | integer | +| checkpoint.connectivity_state | Connectivity state. | keyword | +| checkpoint.cookie | IKE cookie. | keyword | +| checkpoint.dst_phone_number | Destination IP-Phone. | keyword | +| checkpoint.email_control | Engine name. | keyword | +| checkpoint.email_id | Internal email ID. | keyword | +| checkpoint.email_recipients_num | Number of recipients. | long | +| checkpoint.email_session_id | Internal email session ID. | keyword | +| checkpoint.email_spool_id | Internal email spool ID. | keyword | +| checkpoint.email_subject | Email subject. | keyword | +| checkpoint.event_count | Number of events associated with the log. | long | +| checkpoint.frequency | Scan frequency. | keyword | +| checkpoint.icmp_code | ICMP code. | long | +| checkpoint.icmp_type | ICMP type. | long | +| checkpoint.identity_type | Identity type. | keyword | +| checkpoint.incident_extension | Format of original data. | keyword | +| checkpoint.integrity_av_invoke_type | Scan invoke type. | keyword | +| checkpoint.malware_family | Malware family. | keyword | +| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip | +| checkpoint.performance_impact | Protection performance impact. | integer | +| checkpoint.protection_id | Protection malware ID. | keyword | +| checkpoint.protection_name | Specific signature name of the attack. | keyword | +| checkpoint.protection_type | Type of protection used to detect the attack. | keyword | +| checkpoint.scan_result | Scan result. | keyword | +| checkpoint.sensor_mode | Sensor mode. | keyword | +| checkpoint.severity | Threat severity. | keyword | +| checkpoint.spyware_name | Spyware name. | keyword | +| checkpoint.spyware_status | Spyware status. | keyword | +| checkpoint.subs_exp | The expiration date of the subscription. | date | +| checkpoint.tcp_flags | TCP packet flags. | keyword | +| checkpoint.termination_reason | Termination reason. | keyword | +| checkpoint.update_status | Update status. | keyword | +| checkpoint.user_status | User response. | keyword | +| checkpoint.uuid | External ID. | keyword | +| checkpoint.virus_name | Virus name. | keyword | +| checkpoint.voip_log_type | VoIP log types. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.service.name | | keyword | +| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| destination.user.group.name | Name of the group. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| file.group | Primary group name of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.service.name | | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json b/packages/cef/2.3.4/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json new file mode 100755 index 0000000000..13b12cde8e --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "description": "Suspicious network activity overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF] Network Suspicious Activity Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-04749697-de8d-49b3-8eca-c873ab2c5ac9", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-07a4a351-d282-44a1-85b0-bc7e846f8471", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cef-b7227081-e125-49cb-a580-1be363f06be0", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-1c869759-1d3e-4898-b9c7-d2604ed38655", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-8f38607c-eb10-410e-aec5-15d8b474211e", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-655beadd-2678-4495-8793-72b5780f6283", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-769e3f37-2b08-4edb-9013-09140a520e69", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-cbde6788-7371-4712-b2e0-3eb07e0841f4", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", + "name": "17:panel_17", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json b/packages/cef/2.3.4/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json new file mode 100755 index 0000000000..e75f167514 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "description": "Network data overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF] Network Overview Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-38061262-edbe-4ccc-8c5c-d22c480b3c64", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-daa1fe0b-a698-4429-8e5d-db251502276c", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cef-efa710e7-907c-4723-92cd-2bd2276f44dd", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-d3ce586b-d372-4e03-9c19-b768b1b953f3", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cef-291cd92f-52c4-421b-b354-468318ba3e65", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-0a202432-3dbd-49c0-af57-623ffb90211d", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-85818e02-7a16-4afa-8278-99c4059ddd82", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-841a5d3f-c201-4499-a0fd-883247360640", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cef-baa6c9ee-dffe-4ea5-bedd-91962700f450", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "cef-535a7bf8-a701-4016-86c0-038bc6d9d069", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e", + "name": "21:panel_21", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json b/packages/cef/2.3.4/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json new file mode 100755 index 0000000000..c44bda0cc2 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "description": "Overview of Microsoft DNS activity via ArcSight", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF ArcSight] Microsoft DNS Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-56428e01-0c47-4770-8ba4-9345a029ea41", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json b/packages/cef/2.3.4/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json new file mode 100755 index 0000000000..e155c10a5e --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "description": "Overview of Microsoft DNS activity", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF] Microsoft DNS Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-607f756e-288d-499a-8f8a-33791354ffaf", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-b25e0340-0e97-4849-9b89-959b9ad8c958", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-1bd44f46-e28d-4a2d-8245-6994372155ab", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-04096ec6-9644-4da7-bba3-35da7882f87d", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cef-490c415c-b859-4ed0-a2a4-5c4968084985", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-33290695-4eb1-4270-9e63-7083e7b132ed", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-19e44299-4e2a-4da4-a9e5-595b428d49dd", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-38fd061a-0976-4005-b0d3-729d693cdd5d", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json b/packages/cef/2.3.4/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json new file mode 100755 index 0000000000..c86601cba3 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "description": "Operating system activity from endpoints", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#7EB26D\",\"unknown\":\"#447EBC\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF] Endpoint Activity Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-4c86b51e-6886-4484-98a2-508e92b455bb", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-0a5276a2-907b-4319-88ab-86fe5ade8b38", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cef-d2332147-4293-4422-930b-0a319ebeb958", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-2a0a7692-9a08-449f-bcef-b85de1855fd5", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-82a333a7-d9d3-4752-b564-160d4b9f188b", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-b4ac112e-809a-437d-a805-3ff44a67c21c", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cef-1479b35b-1bf3-4767-a510-9d210e010342", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "cef-255c0885-6349-4ab4-ba00-f055c6cc8000", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "cef-56247c19-7aa5-475d-b074-5b0cd4794f0c", + "name": "19:panel_19", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json b/packages/cef/2.3.4/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json new file mode 100755 index 0000000000..e740d26d0b --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "description": "Operating system activity from endpoints via ArcSight", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#447EBC\",\"/Failure\":\"#E24D42\",\"/Success\":\"#7EB26D\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF ArcSight] Endpoint OS Activity Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-9e352900-89c3-4c1b-863e-249e24d0dac9", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", + "name": "19:panel_19", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json b/packages/cef/2.3.4/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json new file mode 100755 index 0000000000..c7f45b8189 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "description": "Summary of endpoint event data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\",\"unknown\":\"#0A50A1\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"event.outcome\",\"event.category\",\"event.type\",\"cef.extensions.categoryObject\",\"event.action\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":72},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":20.86831,\"lon\":-12.2843,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF] Endpoint Overview Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-f856a77c-a0fd-4047-afa6-e21a912814c5", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cef-dd339ff5-6b26-4455-ae06-f3b5591479e3", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "9:panel_9", + "type": "search" + }, + { + "id": "cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cef-98729301-9b46-4169-b99e-1392af8fa563", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json b/packages/cef/2.3.4/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json new file mode 100755 index 0000000000..3fa223db88 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "description": "Summary of ArcSight endpoint event data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"cef.extensions.categoryOutcome\",\"cef.extensions.categorySignificance\",\"cef.extensions.categoryObject\",\"cef.extensions.categoryBehavior\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":76},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Operating System\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#629E51\",\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#BF1B00\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF ArcSight] Endpoint Overview Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "9:panel_9", + "type": "search" + }, + { + "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json b/packages/cef/2.3.4/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json new file mode 100755 index 0000000000..153645a090 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "Suspicious network activity overview via ArcSight", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "refreshInterval": { + "display": "Off", + "pause": false, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF ArcSight] Network Suspicious Activity Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-db1e1aca-279e-4ecc-b84e-fe58644f7619", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "name": "17:panel_17", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json b/packages/cef/2.3.4/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json new file mode 100755 index 0000000000..9c26408568 --- /dev/null +++ b/packages/cef/2.3.4/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "description": "Network data overview via ArcSight", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":68},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":32,\"x\":0,\"y\":32},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EF843C\",\"Content Security\":\"#7EB26D\",\"Firewall\":\"#E24D42\",\"Integrated Security\":\"#962D82\",\"Network-based IDS/IPS\":\"#1F78C1\",\"Operating System\":\"#1F78C1\",\"VPN\":\"#EAB839\"}}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":76},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":76},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs CEF ArcSight] Network Overview Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-dd0bc9af-2e89-4150-9b42-62517ea56b71", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cef-f5258de9-71f7-410f-b713-201007f77470", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", + "name": "21:panel_21", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json b/packages/cef/2.3.4/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json new file mode 100755 index 0000000000..4a63506766 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "columns": [ + "priority", + "message", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "network.application", + "message", + "event.action", + "event.outcome", + "cef.extensions.deviceAddress", + "cef.device.product", + "cef.device.vendor", + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"term\\\":{\\\"event.category\\\":\\\"network\\\"}}\"},\"query\":{\"term\":{\"event.category\":\"network\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Network Events [Logs CEF]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json b/packages/cef/2.3.4/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json new file mode 100755 index 0000000000..d508c55580 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-41770860-2a81-4ce7-b8b4-a0c6970725b0.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "columns": [ + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryTechnique", + "event.outcome", + "event.category", + "event.type", + "cef.extensions.categoryObject", + "event.action", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"}},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Endpoint Event Explorer [Logs CEF]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json b/packages/cef/2.3.4/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json new file mode 100755 index 0000000000..f6647c5dd1 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "cef.device.vendor", + "cef.device.product", + "message", + "cef.device.event_class_id", + "cef.extensions.deviceEventCategory", + "source.user.name", + "destination.user.name", + "destination.domain", + "event.action", + "event.outcome", + "cef.extensions.sourceNtDomain", + "cef.extensions.destinationNtDomain" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"}},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Endpoint - Events [Logs CEF]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json b/packages/cef/2.3.4/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json new file mode 100755 index 0000000000..1982f9bf79 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "columns": [ + "cef.device.vendor", + "cef.device.product", + "event.action", + "event.outcome", + "destination.ip", + "destination.port", + "destination.domain", + "cef.device.event_class_id", + "cef.extensions.deviceCustomString1Label", + "cef.extensions.deviceCustomString1", + "cef.extensions.deviceCustomString2Label", + "cef.extensions.deviceCustomString2", + "cef.extension.deviceCustomString3Label", + "cef.extension.deviceCustomString3", + "cef.extension.deviceCustomString4Label", + "cef.extension.deviceCustomString4", + "cef.extensions.deviceEventCategory", + "event.severity", + "source.ip", + "source.port", + "network.transport", + "source.bytes", + "url.original" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Microsoft DNS Events [Logs CEF]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json b/packages/cef/2.3.4/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json new file mode 100755 index 0000000000..cf5b2ee7e4 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryTechnique", + "cef.extensions.categoryOutcome", + "cef.extensions.categorySignificance", + "cef.extensions.categoryObject", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"}},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Endpoint Event Explorer [Logs CEF ArcSight]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json b/packages/cef/2.3.4/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json new file mode 100755 index 0000000000..dad033d27d --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "columns": [ + "priority", + "message", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "network.application", + "message", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "cef.extensions.deviceAddress", + "cef.device.product", + "cef.device.vendor", + "cef.extensions.categoryDeviceGroup", + "cef.extensions.categoryDeviceType" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"cef.extensions.categoryDeviceGroup\\\":[\\\"/VPN\\\",\\\"/IDS/Network\\\",\\\"/Firewall\\\"]}}\"},\"query\":{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Network Events [Logs CEF ArcSight]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json b/packages/cef/2.3.4/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json new file mode 100755 index 0000000000..9082a5e861 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "cef.device.vendor", + "cef.device.product", + "message", + "cef.device.event_class_id", + "cef.extensions.deviceEventCategory", + "source.user.name", + "destination.user.name", + "destination.domain", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "cef.extensions.sourceNtDomain", + "cef.extensions.destinationNtDomain" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"}},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Endpoint - OS Events [Logs CEF ArcSight]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json b/packages/cef/2.3.4/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json new file mode 100755 index 0000000000..74d6b3c820 --- /dev/null +++ b/packages/cef/2.3.4/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "columns": [ + "cef.device.vendor", + "cef.device.product", + "cef.extensions.categoryBehavior", + "cef.extensions.categoryOutcome", + "destination.ip", + "destination.port", + "destination.domain", + "cef.device.event_class_id", + "cef.extensions.deviceCustomString1Label", + "cef.extensions.deviceCustomString1", + "cef.extensions.deviceCustomString2Label", + "cef.extensions.deviceCustomString2", + "cef.extension.deviceCustomString3Label", + "cef.extension.deviceCustomString3", + "cef.extension.deviceCustomString4Label", + "cef.extension.deviceCustomString4", + "cef.extensions.deviceEventCategory", + "event.severity", + "source.ip", + "source.port", + "network.transport", + "source.bytes", + "url.original" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Microsoft DNS Events [Logs CEF ArcSight]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json b/packages/cef/2.3.4/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json new file mode 100755 index 0000000000..f7372f962e --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 20 Source Countries [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json b/packages/cef/2.3.4/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json new file mode 100755 index 0000000000..e4e3fbc58d --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Device Metrics Overview [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json b/packages/cef/2.3.4/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json new file mode 100755 index 0000000000..c0264531f9 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-04096ec6-9644-4da7-bba3-35da7882f87d.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Event Types [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-04096ec6-9644-4da7-bba3-35da7882f87d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json b/packages/cef/2.3.4/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json new file mode 100755 index 0000000000..6f56e86928 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Port [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0410a35e-eabd-46f4-a124-c780b6d1fd2e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json b/packages/cef/2.3.4/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json new file mode 100755 index 0000000000..183db7cb98 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-07a4a351-d282-44a1-85b0-bc7e846f8471.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Sources by Destination Addresses [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-07a4a351-d282-44a1-85b0-bc7e846f8471", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json b/packages/cef/2.3.4/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json new file mode 100755 index 0000000000..1c27cabbe6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0959df23-10c9-47fd-bebd-c382007b3584.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" + }, + "title": " Dashboard Navigation [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c) | [Network Suspicious Activity](#/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9) | [Endpoint Overview](#dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15) | [Endpoint Activity](#/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf) | [Microsoft DNS Overview](#/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf)\"},\"title\":\" Dashboard Navigation [Logs CEF]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0959df23-10c9-47fd-bebd-c382007b3584", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json b/packages/cef/2.3.4/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json new file mode 100755 index 0000000000..6209fc854f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0a202432-3dbd-49c0-af57-623ffb90211d.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Ports by Outcome [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"success\":\"#629E51\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0a202432-3dbd-49c0-af57-623ffb90211d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json b/packages/cef/2.3.4/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json new file mode 100755 index 0000000000..13e0680159 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0a5276a2-907b-4319-88ab-86fe5ade8b38.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Outcomes [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"event.outcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0a5276a2-907b-4319-88ab-86fe5ade8b38", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json b/packages/cef/2.3.4/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json new file mode 100755 index 0000000000..bec9522083 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Bandwidth Utilization [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json b/packages/cef/2.3.4/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json new file mode 100755 index 0000000000..87df75c155 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "DNS Metrics Overview [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0d0fd899-a40a-43e5-ac80-56f3bf09c18c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json b/packages/cef/2.3.4/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json new file mode 100755 index 0000000000..702933c209 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Outcomes [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json b/packages/cef/2.3.4/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json new file mode 100755 index 0000000000..f26cc0f813 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Device [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-0fe1baba-84a8-4cb3-9b17-bae8693c345a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json b/packages/cef/2.3.4/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json new file mode 100755 index 0000000000..bba67eb563 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Outcomes by Device Type [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"cef.extensions.categoryDeviceType: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json b/packages/cef/2.3.4/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json new file mode 100755 index 0000000000..1f0e2fde5c --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Ports [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json b/packages/cef/2.3.4/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json new file mode 100755 index 0000000000..19c4fa4610 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-1479b35b-1bf3-4767-a510-9d210e010342.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destinations [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-1479b35b-1bf3-4767-a510-9d210e010342", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json b/packages/cef/2.3.4/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json new file mode 100755 index 0000000000..ec2f257b88 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Endpoint OS Metrics Overview [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"cef.extensions.categoryOutcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json b/packages/cef/2.3.4/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json new file mode 100755 index 0000000000..a3f9d219f4 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Direction [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json b/packages/cef/2.3.4/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json new file mode 100755 index 0000000000..f1ef73d247 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-19e44299-4e2a-4da4-a9e5-595b428d49dd.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources by Size [Logs CEF]", + "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-19e44299-4e2a-4da4-a9e5-595b428d49dd", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json b/packages/cef/2.3.4/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json new file mode 100755 index 0000000000..6c04dc9028 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destinations by Size [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json b/packages/cef/2.3.4/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json new file mode 100755 index 0000000000..734effac6e --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-1bd44f46-e28d-4a2d-8245-6994372155ab.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top Destinations by Traffic Size [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF]\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-1bd44f46-e28d-4a2d-8245-6994372155ab", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json b/packages/cef/2.3.4/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json new file mode 100755 index 0000000000..7bfc8c774b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-1c869759-1d3e-4898-b9c7-d2604ed38655.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Severity [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-1c869759-1d3e-4898-b9c7-d2604ed38655", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json b/packages/cef/2.3.4/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json new file mode 100755 index 0000000000..3b90350ff6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "DNS Metrics Overview [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-249e2737-b41f-4115-b303-88bc9d279655", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json b/packages/cef/2.3.4/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json new file mode 100755 index 0000000000..25f79d7cc1 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-255c0885-6349-4ab4-ba00-f055c6cc8000.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-255c0885-6349-4ab4-ba00-f055c6cc8000", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json b/packages/cef/2.3.4/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json new file mode 100755 index 0000000000..401dfbed0a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources by Size [Logs CEF ArcSight]", + "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json b/packages/cef/2.3.4/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json new file mode 100755 index 0000000000..a8dd56342f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Unique Destinations and Ports by Source [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-270139ff-fc2f-4fca-b241-93a8f57cdcdf", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json b/packages/cef/2.3.4/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json new file mode 100755 index 0000000000..1697d134c5 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 15 Event Types by Events [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json b/packages/cef/2.3.4/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json new file mode 100755 index 0000000000..368418b81f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-291cd92f-52c4-421b-b354-468318ba3e65.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Device Metrics Overview [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-291cd92f-52c4-421b-b354-468318ba3e65", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json b/packages/cef/2.3.4/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json new file mode 100755 index 0000000000..c52b647746 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Countries by Event [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json b/packages/cef/2.3.4/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json new file mode 100755 index 0000000000..0cdee83a6a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-2a0a7692-9a08-449f-bcef-b85de1855fd5.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Endpoint - Average EPS [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - Average EPS [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-2a0a7692-9a08-449f-bcef-b85de1855fd5", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json b/packages/cef/2.3.4/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json new file mode 100755 index 0000000000..0c2cecb2d8 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 20 Behaviors by Outcome [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-2b96deab-dbf1-4be3-ae70-1bfb6c3fbd2a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json b/packages/cef/2.3.4/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json new file mode 100755 index 0000000000..6cf742b59b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Source Countries [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-2ecd00c0-66f4-4020-9c6e-dff40d47654c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json b/packages/cef/2.3.4/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json new file mode 100755 index 0000000000..63e38a3cff --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources by Destinations [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json b/packages/cef/2.3.4/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json new file mode 100755 index 0000000000..5f6c8a1920 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-33290695-4eb1-4270-9e63-7083e7b132ed.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events Types by Severity [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-33290695-4eb1-4270-9e63-7083e7b132ed", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json b/packages/cef/2.3.4/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json new file mode 100755 index 0000000000..5ec0797be6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Network - Event Throughput [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json b/packages/cef/2.3.4/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json new file mode 100755 index 0000000000..d47376e13f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-38061262-edbe-4ccc-8c5c-d22c480b3c64.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Application Protocols [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-38061262-edbe-4ccc-8c5c-d22c480b3c64", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json b/packages/cef/2.3.4/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json new file mode 100755 index 0000000000..f7b6ad4a29 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-38fd061a-0976-4005-b0d3-729d693cdd5d.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Direction [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-38fd061a-0976-4005-b0d3-729d693cdd5d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json b/packages/cef/2.3.4/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json new file mode 100755 index 0000000000..563c47bef0 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Device Type Breakdown [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Type Breakdown [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json b/packages/cef/2.3.4/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json new file mode 100755 index 0000000000..5b43a8fe58 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-490c415c-b859-4ed0-a2a4-5c4968084985.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Event Types by Size [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-490c415c-b859-4ed0-a2a4-5c4968084985", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json b/packages/cef/2.3.4/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json new file mode 100755 index 0000000000..8192a37ebd --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Ports by Outcomes [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-4970ec04-796a-4c0e-90d9-7e23d0b7e48d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json b/packages/cef/2.3.4/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json new file mode 100755 index 0000000000..a2085e9b19 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Outcome [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json b/packages/cef/2.3.4/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json new file mode 100755 index 0000000000..0614970e4b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destinations [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json b/packages/cef/2.3.4/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json new file mode 100755 index 0000000000..468d364c92 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-4c86b51e-6886-4484-98a2-508e92b455bb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Endpoint OS Metrics Overview [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"event.outcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-4c86b51e-6886-4484-98a2-508e92b455bb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json b/packages/cef/2.3.4/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json new file mode 100755 index 0000000000..b0e9b3c257 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json b/packages/cef/2.3.4/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json new file mode 100755 index 0000000000..8a11a9886a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-535a7bf8-a701-4016-86c0-038bc6d9d069.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Countries by Events [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-535a7bf8-a701-4016-86c0-038bc6d9d069", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json b/packages/cef/2.3.4/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json new file mode 100755 index 0000000000..4ad4b41dc5 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-56247c19-7aa5-475d-b074-5b0cd4794f0c.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Users [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-56247c19-7aa5-475d-b074-5b0cd4794f0c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json b/packages/cef/2.3.4/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json new file mode 100755 index 0000000000..5c7272c0cb --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top Destinations by Traffic Size [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json b/packages/cef/2.3.4/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json new file mode 100755 index 0000000000..bb3e848ce7 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Addresses [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json b/packages/cef/2.3.4/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json new file mode 100755 index 0000000000..38ac936b78 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Source Users by Event Type and Destination Users [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json b/packages/cef/2.3.4/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json new file mode 100755 index 0000000000..558660d19f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Outcomes by User Names [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#64B0C8\",\"Anti-Virus\":\"#B7DBAB\",\"Host-based IDS/IPS\":\"#629E51\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#3F6833\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#CFFAFF\"},\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Outcomes by User Names [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json b/packages/cef/2.3.4/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json new file mode 100755 index 0000000000..0a393d6652 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Events by Source and Destination Users [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json b/packages/cef/2.3.4/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json new file mode 100755 index 0000000000..6b2188bd73 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Network - Event Throughput [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-62b06e9a-b8d2-4dfe-8dc6-4378331520aa", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json b/packages/cef/2.3.4/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json new file mode 100755 index 0000000000..cc03e710d3 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Users by Destination Users [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json b/packages/cef/2.3.4/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json new file mode 100755 index 0000000000..bee1ff9470 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-655beadd-2678-4495-8793-72b5780f6283.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Addresses [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-655beadd-2678-4495-8793-72b5780f6283", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json b/packages/cef/2.3.4/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json new file mode 100755 index 0000000000..834908bc67 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" + }, + "title": " Dashboard Navigation [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json b/packages/cef/2.3.4/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json new file mode 100755 index 0000000000..9518a579c1 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Device [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json b/packages/cef/2.3.4/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json new file mode 100755 index 0000000000..c978cbecff --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Endpoint Metrics Overview [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json b/packages/cef/2.3.4/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json new file mode 100755 index 0000000000..dc2ddd1c89 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Source Countries [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json b/packages/cef/2.3.4/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json new file mode 100755 index 0000000000..09e0d6ff6a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Event Types [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json b/packages/cef/2.3.4/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json new file mode 100755 index 0000000000..4600411dab --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-769e3f37-2b08-4edb-9013-09140a520e69.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Addresses [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-769e3f37-2b08-4edb-9013-09140a520e69", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json b/packages/cef/2.3.4/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json new file mode 100755 index 0000000000..7ba2b39a50 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Endpoint - OS Average EPS [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - OS Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-76c088c3-486e-4420-8840-5ede667edffe", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json b/packages/cef/2.3.4/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json new file mode 100755 index 0000000000..fa5dcd2adc --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Behaviors by Outcome [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json b/packages/cef/2.3.4/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json new file mode 100755 index 0000000000..872327564c --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 15 Event Types by Events [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-7dc26e6f-76d4-4454-99a9-6ccbba8948f0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json b/packages/cef/2.3.4/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json new file mode 100755 index 0000000000..86943ae981 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "DNS - Event Throughput [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json b/packages/cef/2.3.4/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json new file mode 100755 index 0000000000..40aa11b8ad --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-82a333a7-d9d3-4752-b564-160d4b9f188b.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Sources by Destinations [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-82a333a7-d9d3-4752-b564-160d4b9f188b", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json b/packages/cef/2.3.4/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json new file mode 100755 index 0000000000..899b95824b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Sources by Destination Addresses [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json b/packages/cef/2.3.4/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json new file mode 100755 index 0000000000..ba984322c2 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-841a5d3f-c201-4499-a0fd-883247360640.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Devices by Outcome [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF]\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-841a5d3f-c201-4499-a0fd-883247360640", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json b/packages/cef/2.3.4/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json new file mode 100755 index 0000000000..3386972ae8 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-85818e02-7a16-4afa-8278-99c4059ddd82.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Devices by Bandwidth [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-85818e02-7a16-4afa-8278-99c4059ddd82", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json b/packages/cef/2.3.4/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json new file mode 100755 index 0000000000..b3f601f158 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Source Users by Event Type and Destination Users [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"event.action\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-868d68b5-3e62-4fc2-b942-fbb69a7c91d5", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json b/packages/cef/2.3.4/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json new file mode 100755 index 0000000000..34d704fef6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Addresses [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json b/packages/cef/2.3.4/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json new file mode 100755 index 0000000000..776e8391c6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destinations by Size [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-8869f0bb-b8a3-4e6b-b3c4-3cc80b67b3da", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5a3668ef-c2d5-4bd3-a545-e2a9963b721c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json b/packages/cef/2.3.4/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json new file mode 100755 index 0000000000..dd63b9809f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Outcomes Breakdown [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/Attempt\":\"#3F2B5B\",\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF ArcSight]\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json b/packages/cef/2.3.4/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json new file mode 100755 index 0000000000..1f8c398abc --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Users [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json b/packages/cef/2.3.4/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json new file mode 100755 index 0000000000..335a09d44d --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-8f38607c-eb10-410e-aec5-15d8b474211e.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Source Addresses [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-8f38607c-eb10-410e-aec5-15d8b474211e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json b/packages/cef/2.3.4/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json new file mode 100755 index 0000000000..f4f5f6eadc --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Countries by Events [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json b/packages/cef/2.3.4/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json new file mode 100755 index 0000000000..ab180b299a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Vendors by Product [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json b/packages/cef/2.3.4/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json new file mode 100755 index 0000000000..3da6c90cb1 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Endpoint Average EPS [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-9457ee67-895f-4b78-a543-268f9687a745", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json b/packages/cef/2.3.4/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json new file mode 100755 index 0000000000..f5d7ad975b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-98729301-9b46-4169-b99e-1392af8fa563.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Countries by Event [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-98729301-9b46-4169-b99e-1392af8fa563", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json b/packages/cef/2.3.4/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json new file mode 100755 index 0000000000..001000873c --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Severity [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json b/packages/cef/2.3.4/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json new file mode 100755 index 0000000000..0c8cab2464 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Events by Source and Destination Users [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-a52d1fe2-6933-48bd-b079-61f6e2dc05c2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json b/packages/cef/2.3.4/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json new file mode 100755 index 0000000000..6db6150ea6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 20 Source Countries [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-a5e56e2a-b807-4fd7-92c2-9da42134e0a9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json b/packages/cef/2.3.4/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json new file mode 100755 index 0000000000..8ec3a53f1f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Devices by Outcome [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json b/packages/cef/2.3.4/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json new file mode 100755 index 0000000000..a5448711e4 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Source [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json b/packages/cef/2.3.4/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json new file mode 100755 index 0000000000..71eae19918 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Users [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json b/packages/cef/2.3.4/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json new file mode 100755 index 0000000000..8a888d067a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Outcome by Device Type [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json b/packages/cef/2.3.4/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json new file mode 100755 index 0000000000..6d692d4846 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-b25e0340-0e97-4849-9b89-959b9ad8c958.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "DNS - Event Throughput [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-b25e0340-0e97-4849-9b89-959b9ad8c958", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json b/packages/cef/2.3.4/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json new file mode 100755 index 0000000000..dc44b3cae7 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Endpoint Metrics Overview [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-b4a28b54-9adb-4c4b-8ae6-158dfeb673ce", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json b/packages/cef/2.3.4/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json new file mode 100755 index 0000000000..1b3af86506 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-b4ac112e-809a-437d-a805-3ff44a67c21c.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Source Users by Destination Users [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-b4ac112e-809a-437d-a805-3ff44a67c21c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json b/packages/cef/2.3.4/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json new file mode 100755 index 0000000000..74d3b0f829 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-b7227081-e125-49cb-a580-1be363f06be0.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Sources by Destination Ports [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-b7227081-e125-49cb-a580-1be363f06be0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json b/packages/cef/2.3.4/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json new file mode 100755 index 0000000000..a8db546b0d --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-baa6c9ee-dffe-4ea5-bedd-91962700f450.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Device Types [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-baa6c9ee-dffe-4ea5-bedd-91962700f450", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json b/packages/cef/2.3.4/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json new file mode 100755 index 0000000000..ea5bb8c83f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Users [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-bd35faa9-492e-4abe-9bf1-2d3c0d98171d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json b/packages/cef/2.3.4/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json new file mode 100755 index 0000000000..6601533058 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" + }, + "title": " Dashboard Navigation [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-c394e650-b16c-407c-b305-bd409d69d433", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json b/packages/cef/2.3.4/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json new file mode 100755 index 0000000000..4860454ee5 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Port [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json b/packages/cef/2.3.4/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json new file mode 100755 index 0000000000..03c08e6f40 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-cbde6788-7371-4712-b2e0-3eb07e0841f4.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Destination Ports [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-cbde6788-7371-4712-b2e0-3eb07e0841f4", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json b/packages/cef/2.3.4/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json new file mode 100755 index 0000000000..9d68c5563a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Behaviors by Outcome [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"event.action\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF]\",\"type\":\"heatmap\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-cc7f89bc-22ad-4778-9c9f-1873ff38750b", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json b/packages/cef/2.3.4/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json new file mode 100755 index 0000000000..bf65f0baac --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Source Addresses [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json b/packages/cef/2.3.4/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json new file mode 100755 index 0000000000..f56ace942b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Device Metrics Overview [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json b/packages/cef/2.3.4/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json new file mode 100755 index 0000000000..c2380e89a6 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d2332147-4293-4422-930b-0a319ebeb958.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Vendors by Product [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d2332147-4293-4422-930b-0a319ebeb958", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-46204a7b-ca56-4ad7-bf60-5ef9c6b83042", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json b/packages/cef/2.3.4/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json new file mode 100755 index 0000000000..3d96a77a18 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d3ce586b-d372-4e03-9c19-b768b1b953f3.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Outcome [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"event.outcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d3ce586b-d372-4e03-9c19-b768b1b953f3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json b/packages/cef/2.3.4/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json new file mode 100755 index 0000000000..f3176b2af1 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}" + }, + "title": " Dashboard Navigation [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-4f045e14-8e20-47ed-a6d1-219dd3c8ed5c) | [Network Suspicious Activity](#/dashboard/cef-04749697-de8d-49b3-8eca-c873ab2c5ac9) | [Endpoint Overview](#dashboard/cef-a0030996-9c7b-4f66-bd5a-59b23a7e7c15) | [Endpoint Activity](#/dashboard/cef-85d71d6a-69fc-46a5-bf38-f94c177fbabf) | [Microsoft DNS Overview](#/dashboard/cef-607f756e-288d-499a-8f8a-33791354ffaf)\"},\"title\":\" Dashboard Navigation [Logs CEF]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d42600fb-ea45-4dc9-a5d2-dd6a502fb76e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json b/packages/cef/2.3.4/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json new file mode 100755 index 0000000000..c076beb64e --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Device Metrics Overview [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d7d7bd9e-c767-428c-b7de-d09f9d87f652", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-357351f2-fbd1-41b6-9b03-592fbb7aec7c", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json b/packages/cef/2.3.4/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json new file mode 100755 index 0000000000..3fe6aa4bce --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Size [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-d85b0ce0-4fa7-4fe5-9fe1-41cf40606ef3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json b/packages/cef/2.3.4/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json new file mode 100755 index 0000000000..0cab527765 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-daa1fe0b-a698-4429-8e5d-db251502276c.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Bandwidth Utilization [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-daa1fe0b-a698-4429-8e5d-db251502276c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json b/packages/cef/2.3.4/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json new file mode 100755 index 0000000000..4a6677a4a9 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-dd339ff5-6b26-4455-ae06-f3b5591479e3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Outcomes Breakdown [Logs CEF]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#BF1B00\",\"unknown\":\"#3F2B5B\"},\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF]\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-dd339ff5-6b26-4455-ae06-f3b5591479e3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-41770860-2a81-4ce7-b8b4-a0c6970725b0", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json b/packages/cef/2.3.4/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json new file mode 100755 index 0000000000..6cf6e86635 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Ports by Outcome [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json b/packages/cef/2.3.4/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json new file mode 100755 index 0000000000..20bdf88f92 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 20 Behaviors by Outcome [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json b/packages/cef/2.3.4/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json new file mode 100755 index 0000000000..cb732f40b3 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Device Types [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json b/packages/cef/2.3.4/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json new file mode 100755 index 0000000000..5387593733 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Devices by Bandwidth [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json b/packages/cef/2.3.4/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json new file mode 100755 index 0000000000..3c1744583b --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-efa710e7-907c-4723-92cd-2bd2276f44dd.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Source [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-efa710e7-907c-4723-92cd-2bd2276f44dd", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json b/packages/cef/2.3.4/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json new file mode 100755 index 0000000000..4c21032237 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 5 Sources by Destination Ports [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF ArcSight]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json b/packages/cef/2.3.4/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json new file mode 100755 index 0000000000..827c7905e2 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events Types by Severity [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json b/packages/cef/2.3.4/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json new file mode 100755 index 0000000000..5b23c7fb8e --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Events by Size [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF ArcSight]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json b/packages/cef/2.3.4/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json new file mode 100755 index 0000000000..aed8102339 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Top 10 Application Protocols [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f5258de9-71f7-410f-b713-201007f77470", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json b/packages/cef/2.3.4/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json new file mode 100755 index 0000000000..74a61138dc --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Device Types by Vendor [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"exclude\":\"\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Types by Vendor [Logs CEF ArcSight]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json b/packages/cef/2.3.4/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json new file mode 100755 index 0000000000..afc14f82bb --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-f856a77c-a0fd-4047-afa6-e21a912814c5.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Endpoint Average EPS [Logs CEF]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset:\\\"cef.log\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-f856a77c-a0fd-4047-afa6-e21a912814c5", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json b/packages/cef/2.3.4/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json new file mode 100755 index 0000000000..32a6dda32a --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Unique Destinations and Ports by Source [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json b/packages/cef/2.3.4/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json new file mode 100755 index 0000000000..cce501f750 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Event Types by Size [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json b/packages/cef/2.3.4/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json new file mode 100755 index 0000000000..0907dbbef8 --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Ports by Outcomes [Logs CEF ArcSight]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json b/packages/cef/2.3.4/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json new file mode 100755 index 0000000000..df5b0a6e9f --- /dev/null +++ b/packages/cef/2.3.4/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Outcome by Device Type [Logs CEF ArcSight]", + "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cef/2.3.4/manifest.yml b/packages/cef/2.3.4/manifest.yml new file mode 100755 index 0000000000..a56419f83c --- /dev/null +++ b/packages/cef/2.3.4/manifest.yml @@ -0,0 +1,26 @@ +name: cef +title: Common Event Format (CEF) +version: 2.3.4 +release: ga +description: Collect logs from CEF Logs with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: + - network + - security +conditions: + kibana.version: ^8.0.0 +policy_templates: + - name: cef + title: CEF logs + description: Collect logs from CEF instances + inputs: + - type: logfile + title: "Collect CEF application logs (input: logfile)" + description: "Collecting application logs from CEF instances (input: logfile)" + - type: udp + title: "Collect CEF application logs (input: udp)" + description: "Collecting application logs from CEF instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_asa/2.8.0/LICENSE.txt b/packages/cisco_asa/2.8.0/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_asa/2.8.0/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_asa/2.8.0/changelog.yml b/packages/cisco_asa/2.8.0/changelog.yml new file mode 100755 index 0000000000..6e6db0bf56 --- /dev/null +++ b/packages/cisco_asa/2.8.0/changelog.yml @@ -0,0 +1,178 @@ +# newer versions go on top +- version: "2.8.0" + changes: + - description: Harmonise with pipeline with Cisco FTD. + type: enhancement + link: https://github.com/elastic/integrations/issues/4380 +- version: "2.7.7" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "2.7.6" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "2.7.5" + changes: + - description: Fix handling of 302020 event messages. + type: bugfix + link: https://github.com/elastic/integrations/pull/4209 +- version: "2.7.4" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.7.3" + changes: + - description: Fix handling of non-canonical 113005 messages. + type: bugfix + link: https://github.com/elastic/integrations/pull/4189 +- version: "2.7.2" + changes: + - description: Clean up grok pattern naming. + type: bugfix + link: https://github.com/elastic/integrations/pull/4163 +- version: "2.7.1" + changes: + - description: Fix handling of some non-canonical log formats. + type: bugfix + link: https://github.com/elastic/integrations/pull/3943 +- version: "2.7.0" + changes: + - description: Add handling of AAA operations. + type: enhancement + link: https://github.com/elastic/integrations/pull/3740 +- version: "2.6.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3842 +- version: "2.5.2" + changes: + - description: Improve TCP, SSL config description and example. + type: enhancement + link: https://github.com/elastic/integrations/pull/3763 +- version: "2.5.1" + changes: + - description: Fix handling of user parsing when SGT fields are present. + type: bugfix + link: https://github.com/elastic/integrations/pull/3650 + - description: Fix handling of user parsing for 302013 and 302015 events. + type: bugfix + link: https://github.com/elastic/integrations/pull/3650 +- version: "2.5.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.4.2" + changes: + - description: Map syslog priority details according to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 + - description: Extract syslog facility and severity codes from syslog priority + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 +- version: "2.4.1" + changes: + - description: Ensure invalid event.outcome does not get recorded in event + type: bugfix + link: https://github.com/elastic/integrations/pull/3354 +- version: "2.4.0" + changes: + - description: Add TCP input with TLS support + type: enhancement + link: https://github.com/elastic/integrations/pull/3312 +- version: "2.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.2.2" + changes: + - description: Change visualizations to use event.code instead of cisco.asa.message_id. + type: bugfix + link: https://github.com/elastic/integrations/pull/3146 +- version: "2.2.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.2.0" + changes: + - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879 + type: enhancement + link: https://github.com/elastic/integrations/pull/2820 + - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975 + type: enhancement + link: https://github.com/elastic/integrations/pull/2820 + - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698 + type: enhancement + link: https://github.com/elastic/integrations/pull/2820 +- version: "2.1.0" + changes: + - description: Add parsing for event code 113029-113040 + type: enhancement + link: https://github.com/elastic/integrations/pull/2535 +- version: "2.0.1" + changes: + - description: Clarify configuration option documentation + type: bugfix + link: https://github.com/elastic/integrations/pull/2649 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2389 +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2236 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1952 +- version: "1.2.1" + changes: + - description: Relax time parsing and capture group and session type in Cisco ASA module + type: bugfix + link: https://github.com/elastic/integrations/pull/1891 +- version: "1.2.0" + changes: + - description: Add support for Cisco ASA SIP events + type: enhancement + link: https://github.com/elastic/integrations/pull/1865 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1805 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1782 +- version: "1.0.1" + changes: + - description: Adding missing ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/1732 +- version: "1.0.0" + changes: + - description: Split Cisco ASA into its own package + type: enhancement + link: https://github.com/elastic/integrations/pull/1583 diff --git a/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..1190ec3f3c --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..169989f2d7 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..e01f113448 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/cisco_asa/2.8.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/2.8.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8f83ba13d0 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2262 @@ +--- +description: "Pipeline for Cisco ASA logs" +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: '8.4.0' + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in _temp_.full_message. + - grok: + field: event.original + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSPRIORITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSPRIORITY: "<%{NONNEGINT:log.syslog.priority:int}>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority&0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority>>3; + ctx.log.syslog['facility'] = facility; + } + + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: _temp_.full_message + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" + + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{{ _ingest.on_failure_message }}}", + }, + }, + ] + - date: + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" + timezone: "{{{ event.timezone }}}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{{ _ingest.on_failure_message }}}", + }, + }, + ] + + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + description: "106001" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + description: "106002" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + description: "106006" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + description: "106007" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + description: "106010" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + description: "106013" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + description: "106013" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + description: "106013" + value: inbound + - grok: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + description: "106014" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" + - grok: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + description: "106015" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" + - grok: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + description: "106023" + patterns: + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + description: "106027" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + description: "106100" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + description: "106103" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + description: "111004" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + description: "111004" + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + description: "111004" + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + description: "111004" + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + description: "111010" + patterns: + - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113004'" + field: "message" + description: "113004" + pattern: "AAA user %{_temp_.cisco.aaa_type} Successful: server = %{destination.address} , User = %{source.user.name}" + - grok: + if: "ctx._temp_.cisco.message_id == '113005'" + description: "113005" + field: "message" + patterns: + - "AAA user authentication Rejected: reason = %{REASON}: server = %{IP:destination.address} : user = ?%{CISCO_USER:source.user.name}: user IP = %{IP:source.address}" + pattern_definitions: + REASON: (AAA failure|Account has been disabled) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '113012'" + field: "message" + description: "113012" + pattern: "AAA user authentication Successful: local database: user = %{source.user.name}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + description: "113019" + pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113021'" + field: "message" + description: "113021" + pattern: "Attempted console login failed. User %{source.user.name} did NOT have appropriate Admin Rights." + - dissect: + if: "ctx._temp_.cisco.message_id == '113040'" + field: "message" + description: "113040" + pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}." + - grok: + if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039" + patterns: + - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>" + - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}" + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - grok: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "302013, 302015" + patterns: + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + description: "303002" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" + field: "message" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + - set: + if: '["302020"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-creation" + description: "302020" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + description: "302020" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" + - grok: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + description: "304001" + patterns: + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IPORHOST:destination.address}:%{GREEDYDATA:url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + description: "304001" + value: allowed + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + description: "304002" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - grok: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + description: "313001" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + description: "313004" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + description: "313005" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + description: "313008" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + description: "313009" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + description: "322001" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + description: "338001" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + description: "338001" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + description: "338002" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + description: "338002" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + description: "338003" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + description: "338004" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + description: "338005" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + description: "338005" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + description: "338006" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + description: "338006" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + description: "338007" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + description: "338008" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + description: "338101" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + description: "338101" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + description: "338102" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + description: "338102" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + description: "338103" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + description: "338104" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + description: "338201" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + description: "338201" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + description: "338202" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + description: "338202" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + description: "338203" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + description: "338203" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + description: "338204" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + description: "338204" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + description: "338301" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + description: "338301" + value: "{{{destination.address}}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + description: "338301" + value: "{{{destination.port}}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + description: "338301" + value: "{{{source.address}}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + description: "338301" + value: "{{{source.port}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + description: "502103" + pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + description: "502103" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + description: "502103" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + description: "507003" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "605004, 605005" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + description: "609001" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '607001'" + field: "message" + description: "607001" + pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message" + - grok: + if: "ctx._temp_.cisco.message_id == '607001'" + description: "607001" + field: "_temp_.cisco.connection_type" + patterns: + - "%{CONNECTION}" + pattern_definitions: + TRANSPORTS: "(?:UDP|TCP)" + PROTOCOLS: "(?:RTP|RTCP)" + CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + description: "609002" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "611102, 611101" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - grok: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - grok: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + description: "733100" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + description: "734001" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + description: "805001" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + description: "805002" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - grok: + if: "ctx._temp_.cisco.message_id == '716039'" + field: "message" + patterns: + - "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}" + - "Group <%{NOTSPACE:source.user.group.name}> User <%{USER:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "dropped" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["113004", "113012"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["113002", "113005", "113021"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["602303", "602304", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["605004", "611102"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["734001"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["716039"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "dropped" + - set: + if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["113039"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-connected" + - set: + if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-error" + - set: + if: '["113040"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-disconnected" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - set: + if: '["113005", "113021", "605004", "611102", "716039"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "logon-failed" + - set: + if: '["113004", "113012", "611101", "734001"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "logged-in" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["305012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + description: "305012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" + patterns: + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "430001, 430002, 430003, 430004, 430005" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + + # + # Remove _temp_.full_message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept under event.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + - _temp_.full_message + ignore_missing: true + + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{{event.duration}}}" + ignore_empty_value: true + + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + # + # Parse Source/Dest Username/Domain + # + - grok: + field: "_temp_.cisco.source_username" + if: 'ctx?._temp_?.cisco?.source_username != null' + ignore_failure: true + patterns: + - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}%{CISCO_SGT}' + pattern_definitions: + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_SGT: (, *%{NUMBER:_temp_.cisco.source_user_security_group_tag})? + CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? + - convert: + field: _temp_.cisco.source_user_security_group_tag + type: long + ignore_missing: true + - grok: + field: "_temp_.cisco.destination_username" + if: 'ctx?._temp_?.cisco?.destination_username != null' + ignore_failure: true + patterns: + - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}%{CISCO_SGT}' + pattern_definitions: + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_SGT: (, *%{NUMBER:_temp_.cisco.destination_user_security_group_tag})? + CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? + - convert: + field: _temp_.cisco.destination_user_security_group_tag + type: long + ignore_missing: true + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER} + pattern_definitions: + CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER} + pattern_definitions: + CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true + - lowercase: + field: "network.type" + ignore_failure: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: "allowed" + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: "allowed" + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: allowed + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: denied + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # + # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string + # + - convert: + field: source.port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: destination.port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: network.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: source.packets + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: destination.packets + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.mapped_source_port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.mapped_destination_port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.icmp_code + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.icmp_type + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: http.response.status_code + type: integer + ignore_failure: true + - convert: + field: file.size + type: integer + ignore_failure: true + - convert: + field: network.iana_number + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: sip.to.uri.port + type: integer + ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" + ignore_failure: true + - grok: + field: client.address + patterns: + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" + ignore_failure: true + - grok: + field: server.address + patterns: + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" + ignore_failure: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" + ignore_failure: true + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{{_temp_.cisco.mapped_source_ip}}}" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + - set: + field: source.nat.port + value: "{{{_temp_.cisco.mapped_source_port}}}" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true + - convert: + field: source.nat.port + type: long + ignore_missing: true + - set: + field: destination.nat.ip + value: "{{{_temp_.cisco.mapped_destination_ip}}}" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true + - convert: + field: destination.nat.ip + type: ip + ignore_missing: true + - set: + field: destination.nat.port + value: "{{{_temp_.cisco.mapped_destination_port}}}" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + - convert: + field: destination.nat.port + type: long + ignore_missing: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{{url.domain}}}" + ignore_failure: true + if: ctx?.url?.domain != null + + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{{_temp_.url_domain}}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null + + # + # Populate ECS event.code + # + - rename: + field: _temp_.cisco.message_id + target_field: event.code + ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.asa" + ignore_failure: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: cisco.asa.list_id + target_field: cisco.asa.rule_name + ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - end + connection-started: + kind: event + category: + - network + type: + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: [] + flow-creation: + kind: event + category: + - network + type: + - connection + - start + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + logged-in: + kind: event + category: + - authentication + - network + type: ['allowed', 'info'] + logon-failed: + kind: event + category: + - authentication + - network + type: ['denied', 'info'] + malware-detected: + kind: alert + category: + - malware + type: + - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user + client-vpn-connected: + kind: event + category: + - network + - session + type: + - connection + - start + client-vpn-error: + kind: event + category: + - network + type: + - connection + - error + - denied + client-vpn-disconnected: + kind: event + category: + - network + type: + - connection + - end + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + if (ctx?.event?.outcome == null || (!ctx.event.category.contains('network') && !ctx.event.category.contains('intrusion_detection'))) { + if (ctx?.event?.action == 'firewall-rule') { + ctx.event.type.add('info'); + } else if (ctx?.event?.action.startsWith('connection-')) { + ctx.event.type.add('connection'); + } + return; + } + if (ctx.event.outcome == 'allowed') { + ctx.event.outcome = 'success'; + ctx.event.type.add('connection'); + ctx.event.type.add('allowed'); + } else if (ctx.event.outcome == 'denied' || ctx.event.outcome == 'block') { + ctx.event.outcome = 'success'; + ctx.event.type.add('connection'); + ctx.event.type.add('denied'); + } else if (ctx.event.outcome == 'dropped') { + ctx.event.outcome = 'failure'; + ctx.event.type.add('connection'); + ctx.event.type.add('denied'); + } else if (ctx?.event?.action == 'firewall-rule') { + ctx.event.type.add('info'); + } else if (ctx?.event?.action.startsWith('connection-')) { + ctx.event.type.add('connection'); + } + if (ctx.event.outcome == 'monitored') { + ctx.event.category.add('intrusion_detection'); + ctx.event.outcome = 'success'; + } + + # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. + - set: + if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.asa.security.sha_disposition)' + field: event.kind + value: alert + - append: + if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.asa.security.sha_disposition)' + field: event.category + value: file + + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{{destination.user.name}}}" + ignore_empty_value: true + if: ctx?.user?.name == null + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{{ host.hostname }}}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "asa" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{{ cisco.asa.destination_interface }}}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{{ cisco.asa.source_interface }}}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: "ctx?.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{{source.nat.ip}}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{{destination.ip}}}" + if: "ctx?.destination?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{{destination.nat.ip}}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null && ctx?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{server.user.name}}}" + if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{source.user.name}}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{destination.user.name}}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false + - append: + field: related.hash + value: "{{{file.hash.sha256}}}" + if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{{host.hostname}}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{observer.hostname}}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{destination.domain}}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{source.domain}}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{source.user.domain}}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{destination.user.domain}}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - community_id: + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + # Copy any fields under _temp_.cisco to its final destination. Those can help + # with diagnosing the failure. + - rename: + field: _temp_.cisco + target_field: "cisco.asa" + ignore_failure: true + # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. + - remove: + field: _temp_ + ignore_missing: true + - append: + field: "error.message" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_asa/2.8.0/data_stream/log/fields/agent.yml b/packages/cisco_asa/2.8.0/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_asa/2.8.0/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/2.8.0/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..4a5f053438 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_asa +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_asa.log diff --git a/packages/cisco_asa/2.8.0/data_stream/log/fields/ecs.yml b/packages/cisco_asa/2.8.0/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..f7cd9e3399 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/fields/ecs.yml @@ -0,0 +1,508 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/cisco_asa/2.8.0/data_stream/log/fields/fields.yml b/packages/cisco_asa/2.8.0/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..37c02de23d --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/fields/fields.yml @@ -0,0 +1,218 @@ +- name: cisco.asa + type: group + fields: + - name: message_id + type: keyword + description: > + The Cisco ASA message identifier. + + - name: suffix + type: keyword + description: > + Optional suffix after %ASA identifier. + + - name: source_interface + type: keyword + description: > + Source interface for the flow or event. + + - name: destination_interface + type: keyword + description: > + Destination interface for the flow or event. + + - name: rule_name + type: keyword + description: > + Name of the Access Control List rule that matched this event. + + - name: source_username + type: keyword + description: > + Name of the user that is the source for this event. + + - name: source_user_security_group_tag + type: long + description: > + The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. + + - name: destination_username + type: keyword + description: > + Name of the user that is the destination for this event. + + - name: destination_user_security_group_tag + type: long + description: > + The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. + + - name: mapped_source_ip + type: ip + description: > + The translated source IP address. + + - name: mapped_source_port + type: long + description: > + The translated source port. + + - name: mapped_destination_ip + type: ip + description: > + The translated destination IP address. + + - name: mapped_destination_port + type: long + description: > + The translated destination port. + + - name: threat_level + type: keyword + description: > + Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + + - name: threat_category + type: keyword + description: > + Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + + - name: connection_id + type: keyword + description: > + Unique identifier for a flow. + + - name: icmp_type + type: short + description: > + ICMP type. + + - name: icmp_code + type: short + description: > + ICMP code. + + - name: aaa_type + type: keyword + description: > + The AAA operation type. One of authentication, authorization, or accounting. + + - name: connection_type + type: keyword + description: > + The VPN connection type + + - name: session_type + type: keyword + default_field: false + description: > + Session type (for example, IPsec or UDP). + + - name: dap_records + type: keyword + description: > + The assigned DAP records + + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared + + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: > + The WebVPN group name the user belongs to + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown + + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) + + - name: termination_user + default_field: false + type: keyword + description: > + AAA name of user requesting termination + + - name: message + default_field: false + type: keyword + description: >- + The message associated with SIP and Skinny VoIP events diff --git a/packages/cisco_asa/2.8.0/data_stream/log/manifest.yml b/packages/cisco_asa/2.8.0/data_stream/log/manifest.yml new file mode 100755 index 0000000000..2293945655 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/manifest.yml @@ -0,0 +1,156 @@ +title: Cisco ASA logs +type: logs +streams: + - input: udp + title: Cisco ASA logs + description: Collect Cisco ASA logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco ASA logs + description: Collect Cisco ASA logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate: "/etc/server/cert.pem" + #key: "/etc/server/key.pem" + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. + - input: logfile + enabled: false + title: Cisco ASA logs + description: Collect Cisco ASA logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-asa.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-asa + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_asa/2.8.0/data_stream/log/sample_event.json b/packages/cisco_asa/2.8.0/data_stream/log/sample_event.json new file mode 100755 index 0000000000..8236d873b3 --- /dev/null +++ b/packages/cisco_asa/2.8.0/data_stream/log/sample_event.json @@ -0,0 +1,107 @@ +{ + "@timestamp": "2018-10-10T12:34:56.000Z", + "agent": { + "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "data_stream": { + "dataset": "cisco_asa.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8256 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "305011", + "dataset": "cisco_asa.log", + "ingested": "2022-06-21T10:34:19Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", + "severity": 6, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "informational", + "source": { + "address": "192.168.208.4:52674" + } + }, + "network": { + "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "192.168.98.44" + ] + }, + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event", + "cisco-asa", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/docs/README.md b/packages/cisco_asa/2.8.0/docs/README.md new file mode 100755 index 0000000000..566ea2439c --- /dev/null +++ b/packages/cisco_asa/2.8.0/docs/README.md @@ -0,0 +1,333 @@ +# Cisco ASA Integration + +This integration is for Cisco ASA network device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: + +- `log` dataset: supports Cisco ASA firewall logs. + +## Logs + +### ASA + +The `log` dataset collects the Cisco ASA firewall logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2018-10-10T12:34:56.000Z", + "agent": { + "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0", + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "cisco": { + "asa": { + "destination_interface": "outside", + "source_interface": "inside" + } + }, + "data_stream": { + "dataset": "cisco_asa.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "192.168.98.44", + "ip": "192.168.98.44", + "port": 8256 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "c077f5c5-ca69-4197-9db5-7963794bdac3", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "305011", + "dataset": "cisco_asa.log", + "ingested": "2022-06-21T10:34:19Z", + "kind": "event", + "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", + "severity": 6, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "localhost" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "informational", + "source": { + "address": "192.168.208.4:52674" + } + }, + "network": { + "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "outside" + } + }, + "hostname": "localhost", + "ingress": { + "interface": { + "name": "inside" + } + }, + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "process": { + "name": "CiscoASA", + "pid": 999 + }, + "related": { + "hosts": [ + "localhost" + ], + "ip": [ + "172.31.98.44", + "192.168.98.44" + ] + }, + "source": { + "address": "172.31.98.44", + "ip": "172.31.98.44", + "port": 1772 + }, + "tags": [ + "preserve_original_event", + "cisco-asa", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco.asa.aaa_type | The AAA operation type. One of authentication, authorization, or accounting. | keyword | +| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.asa.burst.configured_rate | The current configured burst rate | keyword | +| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.asa.burst.current_rate | The current burst rate seen | keyword | +| cisco.asa.burst.id | The related rate ID for burst warnings | keyword | +| cisco.asa.burst.object | The related object for burst warnings | keyword | +| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword | +| cisco.asa.connection_id | Unique identifier for a flow. | keyword | +| cisco.asa.connection_type | The VPN connection type | keyword | +| cisco.asa.dap_records | The assigned DAP records | keyword | +| cisco.asa.destination_interface | Destination interface for the flow or event. | keyword | +| cisco.asa.destination_user_security_group_tag | The Security Group Tag for the destination user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long | +| cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword | +| cisco.asa.icmp_code | ICMP code. | short | +| cisco.asa.icmp_type | ICMP type. | short | +| cisco.asa.mapped_destination_host | | keyword | +| cisco.asa.mapped_destination_ip | The translated destination IP address. | ip | +| cisco.asa.mapped_destination_port | The translated destination port. | long | +| cisco.asa.mapped_source_host | | keyword | +| cisco.asa.mapped_source_ip | The translated source IP address. | ip | +| cisco.asa.mapped_source_port | The translated source port. | long | +| cisco.asa.message | The message associated with SIP and Skinny VoIP events | keyword | +| cisco.asa.message_id | The Cisco ASA message identifier. | keyword | +| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword | +| cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.asa.security | Cisco FTD security event fields. | flattened | +| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword | +| cisco.asa.source_interface | Source interface for the flow or event. | keyword | +| cisco.asa.source_user_security_group_tag | The Security Group Tag for the source user. Security Group Tag are 16-bit identifiers used to represent logical group privilege. | long | +| cisco.asa.source_username | Name of the user that is the source for this event. | keyword | +| cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword | +| cisco.asa.termination_initiator | Interface name of the side that initiated the teardown | keyword | +| cisco.asa.termination_user | AAA name of user requesting termination | keyword | +| cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | +| cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.asa.tunnel_type | SA type (remote access or L2L) | keyword | +| cisco.asa.username | | keyword | +| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_asa/2.8.0/img/cisco.svg b/packages/cisco_asa/2.8.0/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_asa/2.8.0/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/img/kibana-cisco-asa.png b/packages/cisco_asa/2.8.0/img/kibana-cisco-asa.png new file mode 100755 index 0000000000..ad51be2204 Binary files /dev/null and b/packages/cisco_asa/2.8.0/img/kibana-cisco-asa.png differ diff --git a/packages/cisco_asa/2.8.0/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..be56be76ce --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "description": "Sample dashboard for Cisco ASA Firewall devices", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Destination Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Source Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"ASA Firewall Events Over Time\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"ASA Flows by Network Bytes\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Blocked by Source\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"Top ACL by Blocked\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Cisco] ASA Firewall", + "version": 1 + }, + "id": "cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..c4e9b835ce --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "All ASA Logs [Cisco]", + "version": 1 + }, + "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..827e718b96 --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"flow-expiration\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "ASA Firewall flows [Cisco]", + "version": 1 + }, + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..ecea457cb0 --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"firewall-rule\\\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "ASA Firewall Events [Cisco]", + "version": 1 + }, + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..3d47d84b87 --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.outcome:\\\"deny\\\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Top ACL by Blocked [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ACL ID\",\"field\":\"cisco.asa.rule_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Top ACL by Blocked [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..6f81464b3a --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Destination Port and Transport [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Destination Port and Transport [Cisco]\",\"type\":\"pie\"}" + }, + "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..68171576d0 --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Source Port and Transport [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Source Port and Transport [Cisco]\",\"type\":\"pie\"}" + }, + "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..a39f27880f --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Flows by Network Bytes [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Total bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total bytes\"},\"type\":\"value\"}]},\"title\":\"ASA Flows by Network Bytes [Cisco]\",\"type\":\"histogram\"}" + }, + "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..67b75fd248 --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Events Over Time [Cisco]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"ASA Events Over Time [Cisco]\",\"type\":\"histogram\"}" + }, + "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..cab50f4d5c --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "ASA Firewall Blocked by Source [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Firewall Blocked by Source [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json new file mode 100755 index 0000000000..0b55816042 --- /dev/null +++ b/packages/cisco_asa/2.8.0/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json @@ -0,0 +1,22 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top ASA Messages [Cisco]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ID\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Severity\",\"field\":\"log.level\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Sample message\",\"field\":\"event.original\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top ASA Messages [Cisco]\",\"type\":\"table\"}" + }, + "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295", + "references": [ + { + "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_asa/2.8.0/manifest.yml b/packages/cisco_asa/2.8.0/manifest.yml new file mode 100755 index 0000000000..f76c1e8627 --- /dev/null +++ b/packages/cisco_asa/2.8.0/manifest.yml @@ -0,0 +1,39 @@ +format_version: 1.0.0 +name: cisco_asa +title: Cisco ASA +version: "2.8.0" +license: basic +description: Collect logs from Cisco ASA with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +screenshots: + - src: /img/kibana-cisco-asa.png + title: kibana cisco asa + size: 1800x1559 + type: image/png +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_asa + title: Cisco ASA logs + description: Collect logs from Cisco ASA instances + inputs: + - type: tcp + title: Collect logs from Cisco ASA via TCP + description: Collecting logs from Cisco ASA via TCP + - type: udp + title: Collect logs from Cisco ASA via UDP + description: Collecting logs from Cisco ASA via UDP + - type: logfile + title: Collect logs from Cisco ASA via file + description: Collecting logs from Cisco ASA via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_ftd/2.4.6/LICENSE.txt b/packages/cisco_ftd/2.4.6/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ftd/2.4.6/changelog.yml b/packages/cisco_ftd/2.4.6/changelog.yml new file mode 100755 index 0000000000..83a5451896 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/changelog.yml @@ -0,0 +1,142 @@ +# newer versions go on top +- version: "2.4.6" + changes: + - description: Harmonise with pipeline with Cisco ASA. + type: bugfix + link: https://github.com/elastic/integrations/issues/4380 +- version: "2.4.5" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "2.4.4" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "2.4.3" + changes: + - description: Fix handling of 302020 event messages. + type: bugfix + link: https://github.com/elastic/integrations/pull/4209 +- version: "2.4.2" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.4.1" + changes: + - description: Clean up grok pattern naming. + type: bugfix + link: https://github.com/elastic/integrations/pull/4163 +- version: "2.4.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3842 +- version: "2.3.1" + changes: + - description: Improve TCP, SSL config description and example. + type: enhancement + link: https://github.com/elastic/integrations/pull/3763 +- version: "2.3.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.2.2" + changes: + - description: Map syslog priority details according to ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 + - description: Extract syslog facility and severity codes from syslog priority + type: bugfix + link: https://github.com/elastic/integrations/pull/3549 +- version: "2.2.1" + changes: + - description: Remove invalid values from ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/3344 +- version: "2.2.0" + changes: + - description: Add TLS system test + type: enhancement + link: https://github.com/elastic/integrations/pull/3339 + - description: Add TCP input with TLS support + type: enhancement + link: https://github.com/elastic/integrations/pull/3313 +- version: "2.1.1" + changes: + - description: Added link to Cisco's FTD documentation in readme + type: enhancement + link: https://github.com/elastic/integrations/pull/2931 +- version: "2.1.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.0.4" + changes: + - description: Set event.kind to alert only when sha_disposition is malware or custom + type: bugfix + link: https://github.com/elastic/integrations/pull/3041 +- version: "2.0.3" + changes: + - description: Make fields agree with ECS + type: bugfix + link: https://github.com/elastic/integrations/pull/3018 +- version: "2.0.2" + changes: + - description: Update observer to ftd and idps to better match this integration. + type: bugfix + link: https://github.com/elastic/integrations/pull/2551 +- version: "2.0.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2391 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2258 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1954 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1806 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1783 +- version: "1.0.1" + changes: + - description: Adding missing ECS fields + type: bugfix + link: https://github.com/elastic/integrations/pull/1731 +- version: "1.0.0" + changes: + - description: Initial version to split Cisco FTD out from the general Cisco package + type: enhancement + link: https://github.com/elastic/integrations/pull/1586 diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..28ea4aaa98 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,20 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..8f3ae72293 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..e129442a23 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.4.6/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..211562b40f --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2227 @@ +--- +description: "Pipeline for Cisco FTD logs" +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: '8.4.0' + # + # Parse the syslog header + # + # This populates the host.hostname, process.name, timestamp and other fields + # from the header and stores the message contents in _temp_.full_message. + - grok: + field: event.original + patterns: + - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" + pattern_definitions: + SYSLOG_HEADER: "(?:%{SYSPRIORITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?" + SYSPRIORITY: "<%{NONNEGINT:log.syslog.priority:int}>" + # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424. + FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})" + ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?" + PROCESS: "(?:[^%\\s:\\[]+)" + SYSLOG_END: "(?:(:|\\s)\\s+)" + # exactly match the syntax for firepower management logs + PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" + HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority&0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority>>3; + ctx.log.syslog['facility'] = facility; + } + + # + # Parse FTD/ASA style message + # + # This parses the header of an EMBLEM-style message for FTD and ASA prefixes. + - grok: + field: _temp_.full_message + patterns: + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. + - "%{GREEDYDATA:message}" + pattern_definitions: + FTD_SUFFIX: "[^0-9-]+" + # Before version 6.3, FTD used ASA prefix in syslog messages + FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" + + # + # Create missing fields when no %FTD label is present + # + # message_id is needed in order for some processors below to work. + - set: + field: _temp_.cisco.message_id + value: "" + if: "ctx?._temp_?.cisco?.message_id == null" + + # + # set default event.severity to 7 (debug): + # + # This value is read from the EMBLEM header and won't be present if this is not + # an emblem message (firewalls can be configured to report other kinds of events) + - set: + field: event.severity + value: 7 + if: "ctx?.event?.severity == null" + + # + # Parse the date included in FTD logs + # + - date: + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{{ _ingest.on_failure_message }}}", + }, + }, + ] + - date: + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" + timezone: "{{{ event.timezone }}}" + field: "_temp_.raw_date" + target_field: "@timestamp" + formats: + - "ISO8601" + - "MMM d HH:mm:ss" + - "MMM dd HH:mm:ss" + - "EEE MMM d HH:mm:ss" + - "EEE MMM dd HH:mm:ss" + - "MMM d HH:mm:ss z" + - "MMM dd HH:mm:ss z" + - "EEE MMM d HH:mm:ss z" + - "EEE MMM dd HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + - "MMM dd yyyy HH:mm:ss" + - "EEE MMM d yyyy HH:mm:ss" + - "EEE MMM dd yyyy HH:mm:ss" + - "MMM d yyyy HH:mm:ss z" + - "MMM dd yyyy HH:mm:ss z" + - "EEE MMM d yyyy HH:mm:ss z" + - "EEE MMM dd yyyy HH:mm:ss z" + on_failure: + [ + { + "append": + { + "field": "error.message", + "value": "{{{ _ingest.on_failure_message }}}", + }, + }, + ] + + # + # Set log.level + # + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: unknown + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # + # Firewall messages + # + # This set of messages is shared between FTD and ASA. + - set: + if: 'ctx._temp_.cisco.message_id != ""' + field: "event.action" + value: "firewall-rule" + - dissect: + if: "ctx._temp_.cisco.message_id == '106001'" + field: "message" + description: "106001" + pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106002'" + field: "message" + description: "106002" + pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106006'" + field: "message" + description: "106006" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106007'" + field: "message" + description: "106007" + pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" + - grok: + if: "ctx._temp_.cisco.message_id == '106010'" + field: "message" + description: "106010" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "message" + description: "106013" + pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.transport" + description: "106013" + value: icmp + - set: + if: "ctx._temp_.cisco.message_id == '106013'" + field: "network.direction" + description: "106013" + value: inbound + - grok: + if: "ctx._temp_.cisco.message_id == '106014'" + field: "message" + description: "106014" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" + - grok: + if: "ctx._temp_.cisco.message_id == '106015'" + field: "message" + description: "106015" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106016'" + field: "message" + pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106016" + - dissect: + if: "ctx._temp_.cisco.message_id == '106017'" + field: "message" + pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + description: "106017" + - dissect: + if: "ctx._temp_.cisco.message_id == '106018'" + field: "message" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + description: "106018" + - dissect: + if: "ctx._temp_.cisco.message_id == '106020'" + field: "message" + pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + description: "106020" + - dissect: + if: "ctx._temp_.cisco.message_id == '106021'" + field: "message" + pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106021" + - dissect: + if: "ctx._temp_.cisco.message_id == '106022'" + field: "message" + pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + description: "106022" + - grok: + if: "ctx._temp_.cisco.message_id == '106023'" + field: "message" + description: "106023" + patterns: + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '106027'" + field: "message" + description: "106027" + pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '106100'" + field: "message" + description: "106100" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + description: "106103" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + description: "111004" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + description: "111004" + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + description: "111004" + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + description: "111004" + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + description: "111009" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + description: "111010" + patterns: + - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113004'" + field: "message" + description: "113004" + pattern: "AAA user %{_temp_.cisco.aaa_type} Successful: server = %{destination.address} , User = %{source.user.name}" + - grok: + if: "ctx._temp_.cisco.message_id == '113005'" + description: "113005" + field: "message" + patterns: + - "AAA user authentication Rejected: reason = %{REASON}: server = %{IP:destination.address} : user = ?%{CISCO_USER:source.user.name}: user IP = %{IP:source.address}" + pattern_definitions: + REASON: (AAA failure|Account has been disabled) + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '113012'" + field: "message" + description: "113012" + pattern: "AAA user authentication Successful: local database: user = %{source.user.name}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + description: "113019" + pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113021'" + field: "message" + description: "113021" + pattern: "Attempted console login failed. User %{source.user.name} did NOT have appropriate Admin Rights." + - dissect: + if: "ctx._temp_.cisco.message_id == '113040'" + field: "message" + description: "113040" + pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}." + - grok: + if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039" + patterns: + - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>" + - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}" + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - grok: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "302013, 302015" + patterns: + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + description: "303002" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" + field: "message" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + - set: + if: '["302020"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-creation" + description: "302020" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + description: "302020" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + description: "302022" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + description: "302023" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" + - grok: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "message" + description: "304001" + patterns: + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IPORHOST:destination.address}:%{GREEDYDATA:url.original}" + - set: + if: "ctx._temp_.cisco.message_id == '304001'" + field: "event.outcome" + description: "304001" + value: success + - dissect: + if: "ctx._temp_.cisco.message_id == '304002'" + field: "message" + description: "304002" + pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - grok: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + description: "305011" + patterns: + - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} + - dissect: + if: "ctx._temp_.cisco.message_id == '313001'" + field: "message" + description: "313001" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313004'" + field: "message" + description: "313004" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + - dissect: + if: "ctx._temp_.cisco.message_id == '313005'" + field: "message" + description: "313005" + pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313008'" + field: "message" + description: "313008" + pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '313009'" + field: "message" + description: "313009" + pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '322001'" + field: "message" + description: "322001" + pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "message" + description: "338001" + pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338001'" + field: "server.domain" + description: "338001" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "message" + description: "338002" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338002'" + field: "server.domain" + description: "338002" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338003'" + field: "message" + description: "338003" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338004'" + field: "message" + description: "338004" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "message" + description: "338005" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338005'" + field: "server.domain" + description: "338005" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "message" + description: "338006" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338006'" + field: "server.domain" + description: "338006" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338007'" + field: "message" + description: "338007" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338008'" + field: "message" + description: "338008" + pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "message" + description: "338101" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338101'" + field: "server.domain" + description: "338101" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "message" + description: "338102" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + - set: + if: "ctx._temp_.cisco.message_id == '338102'" + field: "server.domain" + description: "338102" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338103'" + field: "message" + description: "338103" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338104'" + field: "message" + description: "338104" + pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "message" + description: "338201" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338201'" + field: "server.domain" + description: "338201" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "message" + description: "338202" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338202'" + field: "server.domain" + description: "338202" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "message" + description: "338203" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338203'" + field: "server.domain" + description: "338203" + value: "{{{source.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "message" + description: "338204" + pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + - set: + if: "ctx._temp_.cisco.message_id == '338204'" + field: "server.domain" + description: "338204" + value: "{{{destination.domain}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "message" + description: "338301" + pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.address" + description: "338301" + value: "{{{destination.address}}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "client.port" + description: "338301" + value: "{{{destination.port}}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.address" + description: "338301" + value: "{{{source.address}}}" + ignore_empty_value: true + - set: + if: "ctx._temp_.cisco.message_id == '338301'" + field: "server.port" + description: "338301" + value: "{{{source.port}}}" + ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + description: "502103" + pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + description: "502103" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + description: "502103" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + description: "507003" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "605004, 605005" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + description: "609001" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '607001'" + field: "message" + description: "607001" + pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message" + - grok: + if: "ctx._temp_.cisco.message_id == '607001'" + description: "607001" + field: "_temp_.cisco.connection_type" + patterns: + - "%{CONNECTION}" + pattern_definitions: + TRANSPORTS: "(?:UDP|TCP)" + PROTOCOLS: "(?:RTP|RTCP)" + CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + description: "609002" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "611102, 611101" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + description: "710003" + pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + description: "710005" + pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + description: "713049" + pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + ignore_failure: true + - grok: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + description: "716002" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}." + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." + - grok: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + description: "722051" + patterns: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - grok: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + description: "733100" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} + - dissect: + if: "ctx._temp_.cisco.message_id == '734001'" + field: "message" + description: "734001" + pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + description: "805001" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + description: "805002" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - split: + field: "_temp_.cisco.dap_records" + separator: ",\\s+" + ignore_missing: true + - dissect: + if: "ctx._temp_.cisco.message_id == '434002'" + field: "message" + pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '434004'" + field: "message" + pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + - dissect: + if: "ctx._temp_.cisco.message_id == '110002'" + field: "message" + pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '419002'" + field: "message" + pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" + - dissect: + if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + - dissect: + if: "ctx._temp_.cisco.message_id == '750002'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713120'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" + - dissect: + if: "ctx._temp_.cisco.message_id == '713202'" + field: "message" + pattern: "IP = %{source.address}, %{event.reason}. %{} packet." + - grok: + if: "ctx._temp_.cisco.message_id == '716039'" + field: "message" + patterns: + - "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}" + - "Group <%{NOTSPACE:source.user.group.name}> User <%{USER:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\." + - dissect: + if: "ctx._temp_.cisco.message_id == '750003'" + field: "message" + pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" + - grok: + if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "message" + patterns: + - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" + # Handle ecs action outcome protocol + - set: + if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "unknown" + - set: + if: '["419002"].contains(ctx._temp_.cisco.message_id)' + field: "network.protocol" + value: "tcp" + - set: + if: '["110002"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713120"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["113004", "113012"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["113002", "113005", "113021"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["602303", "602304", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["605004", "611102"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["734001"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "success" + - set: + if: '["716039"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["710005"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)' + field: "event.outcome" + value: "failure" + - set: + if: '["113039"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-connected" + - set: + if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-error" + - set: + if: '["113040"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "client-vpn-disconnected" + - set: + if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "connection-started" + - set: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "error" + - set: + if: '["113005", "113021", "605004", "611102", "716039"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "logon-failed" + - set: + if: '["113004", "113012", "611101", "734001"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "logged-in" + - append: + if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + field: "event.type" + value: "error" + + # + # Handle 302xxx messages (Flow expiration a.k.a "Teardown") + # + - set: + if: '["305012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + field: "event.action" + value: "flow-expiration" + description: "305012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" + - grok: + field: "message" + if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" + patterns: + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + pattern_definitions: + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + IPORHOST: "(?:%{IP}|%{HOSTNAME})" + NOTCOLON: "[^:]*" + ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" + ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) + + # + # Decode FTD's Security Event Syslog Messages + # + # 43000x messages are security event syslog messages specific to FTD. + # Format is a comma-separated sequence of key: value pairs. + # + # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value} + - kv: + if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)' + field: "message" + description: "430001, 430002, 430003, 430004, 430005" + field_split: ",(?=[A-za-z1-9\\s]+:)" + value_split: ":" + target_field: "_temp_.orig_security" + trim_key: " " + trim_value: " " + ignore_failure: true + + # + # Remove _temp_.full_message. + # + # The field has been used as temporary buffer while decoding. The full message + # is kept under event.original. Processors below can still add a message field, as some + # security events contain an explanatory Message field. + - remove: + field: + - message + - _temp_.full_message + ignore_missing: true + + # + # Populate ECS fields from Security Events + # + # This script uses the key-value pairs from Security Events to populate + # the appropriate ECS fields. + # + # A single key can be mapped to multiple ECS fields, and more than one key can + # map to the same ECS field, which results in an array being created. + # + # This script performs an additional job: + # + # Before FTD version 6.3, the message_id was not included in Security Events. + # As this field encodes the kind of event (intrusion, connection, malware...) + # the script below will guess the right message_id from the keys present in + # the event. + # + # The reason for overloading this script with different behaviors is + # that this pipeline is already reaching the limit on script compilations. + # + #******************************************************************************* + # Code generated by go generate. DO NOT EDIT. + #******************************************************************************* + - script: + if: ctx._temp_?.orig_security != null + params: + ACPolicy: + target: ac_policy + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleAction: + target: access_control_rule_action + id: ["430002", "430003"] + ecs: [event.outcome] + AccessControlRuleName: + target: access_control_rule_name + id: ["430002", "430003"] + ecs: [_temp_.cisco.rule_name] + AccessControlRuleReason: + target: access_control_rule_reason + id: ["430002", "430003"] + ApplicationProtocol: + target: application_protocol + ecs: [network.protocol] + ArchiveDepth: + target: archive_depth + id: ["430004", "430005"] + ArchiveFileName: + target: archive_file_name + id: ["430004", "430005"] + ecs: [file.name] + ArchiveFileStatus: + target: archive_file_status + id: ["430004", "430005"] + ArchiveSHA256: + target: archive_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + Classification: + target: classification + id: ["430001"] + Client: + target: client + ecs: [network.application] + ClientVersion: + target: client_version + id: ["430002", "430003"] + ConnectionDuration: + target: connection_duration + id: ["430003"] + ecs: [event.duration] + DNS_Sinkhole: + target: dns_sinkhole + id: ["430002", "430003"] + DNS_TTL: + target: dns_ttl + id: ["430002", "430003"] + DNSQuery: + target: dns_query + id: ["430002", "430003"] + ecs: [dns.question.name] + DNSRecordType: + target: dns_record_type + id: ["430002", "430003"] + ecs: [dns.question.type] + DNSResponseType: + target: dns_response_type + id: ["430002", "430003"] + ecs: [dns.response_code] + DNSSICategory: + target: dnssi_category + id: ["430002", "430003"] + DstIP: + target: dst_ip + ecs: [destination.address] + DstPort: + target: dst_port + ecs: [destination.port] + EgressInterface: + target: egress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.destination_interface] + EgressZone: + target: egress_zone + id: ["430001", "430002", "430003"] + Endpoint Profile: + target: endpoint_profile + id: ["430002", "430003"] + FileAction: + target: file_action + id: ["430004", "430005"] + FileCount: + target: file_count + id: ["430002", "430003"] + FileDirection: + target: file_direction + id: ["430004", "430005"] + FileName: + target: file_name + id: ["430004", "430005"] + ecs: [file.name] + FilePolicy: + target: file_policy + id: ["430004", "430005"] + ecs: [_temp_.cisco.rule_name] + FileSHA256: + target: file_sha256 + id: ["430004", "430005"] + ecs: [file.hash.sha256] + FileSandboxStatus: + target: file_sandbox_status + id: ["430004", "430005"] + FileSize: + target: file_size + id: ["430004", "430005"] + ecs: [file.size] + FileStorageStatus: + target: file_storage_status + id: ["430004", "430005"] + FileType: + target: file_type + id: ["430004", "430005"] + FirstPacketSecond: + target: first_packet_second + id: ["430004", "430005"] + ecs: [event.start] + GID: + target: gid + id: ["430001"] + ecs: [service.id] + HTTPReferer: + target: http_referer + id: ["430002", "430003"] + ecs: [http.request.referrer] + HTTPResponse: + target: http_response + id: ["430001", "430002", "430003"] + ecs: [http.response.status_code] + ICMPCode: + target: icmp_code + id: ["430001", "430002", "430003"] + ICMPType: + target: icmp_type + id: ["430001", "430002", "430003"] + IPReputationSICategory: + target: ip_reputation_si_category + id: ["430002", "430003"] + IPSCount: + target: ips_count + id: ["430002", "430003"] + IngressInterface: + target: ingress_interface + id: ["430001", "430002", "430003"] + ecs: [_temp_.cisco.source_interface] + IngressZone: + target: ingress_zone + id: ["430001", "430002", "430003"] + InitiatorBytes: + target: initiator_bytes + id: ["430003"] + ecs: [source.bytes] + InitiatorPackets: + target: initiator_packets + id: ["430003"] + ecs: [source.packets] + InlineResult: + target: inline_result + id: ["430001"] + ecs: [event.outcome] + IntrusionPolicy: + target: intrusion_policy + id: ["430001"] + ecs: [_temp_.cisco.rule_name] + MPLS_Label: + target: mpls_label + id: ["430001"] + Message: + target: message + id: ["430001"] + ecs: [message] + NAPPolicy: + target: nap_policy + id: ["430001", "430002", "430003"] + NetBIOSDomain: + target: net_bios_domain + id: ["430002", "430003"] + ecs: [host.hostname] + NumIOC: + target: num_ioc + id: ["430001"] + Prefilter Policy: + target: prefilter_policy + id: ["430002", "430003"] + Priority: + target: priority + id: ["430001"] + Protocol: + target: protocol + ecs: [network.transport] + ReferencedHost: + target: referenced_host + id: ["430002", "430003"] + ecs: [url.domain] + ResponderBytes: + target: responder_bytes + id: ["430003"] + ecs: [destination.bytes] + ResponderPackets: + target: responder_packets + id: ["430003"] + ecs: [destination.packets] + Revision: + target: revision + id: ["430001"] + SHA_Disposition: + target: sha_disposition + id: ["430004", "430005"] + SID: + target: sid + id: ["430001"] + SSLActualAction: + target: ssl_actual_action + ecs: [event.outcome] + SSLCertificate: + target: ssl_certificate + id: ["430002", "430003", "430004", "430005"] + SSLExpectedAction: + target: ssl_expected_action + id: ["430002", "430003"] + SSLFlowStatus: + target: ssl_flow_status + id: ["430002", "430003", "430004", "430005"] + SSLPolicy: + target: ssl_policy + id: ["430002", "430003"] + SSLRuleName: + target: ssl_rule_name + id: ["430002", "430003"] + SSLServerCertStatus: + target: ssl_server_cert_status + id: ["430002", "430003"] + SSLServerName: + target: ssl_server_name + id: ["430002", "430003"] + ecs: [server.domain] + SSLSessionID: + target: ssl_session_id + id: ["430002", "430003"] + SSLTicketID: + target: ssl_ticket_id + id: ["430002", "430003"] + SSLURLCategory: + target: sslurl_category + id: ["430002", "430003"] + SSLVersion: + target: ssl_version + id: ["430002", "430003"] + SSSLCipherSuite: + target: sssl_cipher_suite + id: ["430002", "430003"] + SecIntMatchingIP: + target: sec_int_matching_ip + id: ["430002", "430003"] + Security Group: + target: security_group + id: ["430002", "430003"] + SperoDisposition: + target: spero_disposition + id: ["430004", "430005"] + SrcIP: + target: src_ip + ecs: [source.address] + SrcPort: + target: src_port + ecs: [source.port] + TCPFlags: + target: tcp_flags + id: ["430002", "430003"] + ThreatName: + target: threat_name + id: ["430005"] + ecs: [_temp_.cisco.threat_category] + ThreatScore: + target: threat_score + id: ["430005"] + ecs: [_temp_.cisco.threat_level] + Tunnel or Prefilter Rule: + target: tunnel_or_prefilter_rule + id: ["430002", "430003"] + URI: + target: uri + id: ["430004", "430005"] + ecs: [url.original] + URL: + target: url + id: ["430002", "430003"] + ecs: [url.original] + URLCategory: + target: url_category + id: ["430002", "430003"] + URLReputation: + target: url_reputation + id: ["430002", "430003"] + URLSICategory: + target: urlsi_category + id: ["430002", "430003"] + User: + target: user + ecs: [user.id, user.name] + UserAgent: + target: user_agent + id: ["430002", "430003"] + ecs: [user_agent.original] + VLAN_ID: + target: vlan_id + id: ["430001", "430002", "430003"] + WebApplication: + target: web_application + ecs: [network.application] + originalClientSrcIP: + target: original_client_src_ip + id: ["430002", "430003"] + ecs: [client.address] + lang: painless + source: | + boolean isEmpty(def value) { + return (value instanceof AbstractList? value.size() : value.length()) == 0; + } + def appendOrCreate(Map dest, String[] path, def value) { + for (int i=0; i new HashMap()); + } + String key = path[path.length - 1]; + def existing = dest.get(key); + return existing == null? + dest.put(key, value) + : existing instanceof AbstractList? + existing.add(value) + : dest.put(key, new ArrayList([existing, value])); + } + def msg = ctx._temp_.orig_security; + def counters = new HashMap(); + def dest = new HashMap(); + ctx._temp_.cisco['security'] = dest; + for (entry in msg.entrySet()) { + def param = params.get(entry.getKey()); + if (param == null) { + continue; + } + param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) ); + if (!isEmpty(entry.getValue())) { + param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) ); + dest[param.target] = entry.getValue(); + } + } + if (ctx._temp_.cisco.message_id != "") return; + def best; + for (entry in counters.entrySet()) { + if (best == null || best.getValue() < entry.getValue()) best = entry; + } + if (best != null) ctx._temp_.cisco.message_id = best.getKey(); + #******************************************************************************* + # End of generated code. + #******************************************************************************* + + # + # Normalize ECS field values + # + - script: + lang: painless + params: + "ctx._temp_.cisco.message_id": + target: event.action + map: + "430001": intrusion-detected + "430002": connection-started + "430003": connection-finished + "430004": file-detected + "430005": malware-detected + "dns.question.type": + map: + "a host address": A + "ip6 address": AAAA + "text strings": TXT + "a domain name pointer": PTR + "an authoritative name server": NS + "the canonical name for an alias": CNAME + "marks the start of a zone of authority": SOA + "mail exchange": MX + "server selection": SRV + "dns.response_code": + map: + "non-existent domain": NXDOMAIN + "server failure": SERVFAIL + "query refused": REFUSED + "no error": NOERROR + source: | + def getField(Map src, String[] path) { + for (int i=0; i new HashMap()); + } + dest[path[path.length-1]] = value; + } + for (entry in params.entrySet()) { + def srcField = entry.getKey(); + def param = entry.getValue(); + String oldVal = getField(ctx, srcField.splitOnToken('.')); + if (oldVal == null) continue; + def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null); + if (newVal != null) { + def dstField = param.getOrDefault('target', srcField); + setField(ctx, dstField.splitOnToken('.'), newVal); + } + } + - set: + if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null" + field: dns.response_code + value: NOERROR + - set: + if: 'ctx._temp_.cisco.message_id == "430001"' + field: event.action + value: intrusion-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430002"' + field: event.action + value: connection-started + - set: + if: 'ctx._temp_.cisco.message_id == "430003"' + field: event.action + value: connection-finished + - set: + if: 'ctx._temp_.cisco.message_id == "430004"' + field: event.action + value: file-detected + - set: + if: 'ctx._temp_.cisco.message_id == "430005"' + field: event.action + value: malware-detected + + # + # Handle event.duration + # + # It can be set from ConnectionDuration FTD field above. This field holds + # seconds as a string. Copy it to _temp_.duration_hms so that the following + # processor converts it to the right value and populates start and end. + - set: + field: "_temp_.duration_hms" + value: "{{{event.duration}}}" + ignore_empty_value: true + + # + # Process the flow duration "hh:mm:ss" present in some messages + # This will fill event.start, event.end and event.duration + # + - script: + lang: painless + if: "ctx?._temp_?.duration_hms != null" + source: > + long parse_hms(String s) { + long cur = 0, total = 0; + for (char c: s.toCharArray()) { + if (c >= (char)'0' && c <= (char)'9') { + cur = (cur*10) + (long)c - (char)'0'; + } else if (c == (char)':') { + total = (total + cur) * 60; + cur = 0; + } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') { + return 0; + } + } + return total + cur; + } + if (ctx?.event == null) { + ctx['event'] = new HashMap(); + } + String end = ctx['@timestamp']; + ctx.event['end'] = end; + long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L; + ctx.event['duration'] = nanos; + ctx.event['start'] = ZonedDateTime.ofInstant( + Instant.parse(end).minusNanos(nanos), + ZoneOffset.UTC); + # + # Parse Source/Dest Username/Domain + # + - grok: + field: "_temp_.cisco.source_username" + if: 'ctx?._temp_?.cisco?.source_username != null' + ignore_failure: true + patterns: + - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}%{CISCO_SGT}' + pattern_definitions: + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_SGT: (, *%{NUMBER:_temp_.cisco.source_user_security_group_tag})? + CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? + - convert: + field: _temp_.cisco.source_user_security_group_tag + type: long + ignore_missing: true + - grok: + field: "_temp_.cisco.destination_username" + if: 'ctx?._temp_?.cisco?.destination_username != null' + ignore_failure: true + patterns: + - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}%{CISCO_SGT}' + pattern_definitions: + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_SGT: (, *%{NUMBER:_temp_.cisco.destination_user_security_group_tag})? + CISCO_USER: "%{USERNAME}(@%{HOSTNAME})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? + - convert: + field: _temp_.cisco.destination_user_security_group_tag + type: long + ignore_missing: true + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER} + pattern_definitions: + CISCO_USER: "%{USERNAME:source.user.name}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER} + pattern_definitions: + CISCO_USER: "%{USERNAME:destination.user.name}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_failure: true + - lowercase: + field: "network.protocol" + ignore_failure: true + - lowercase: + field: "network.application" + ignore_failure: true + - lowercase: + field: "file.type" + ignore_failure: true + - lowercase: + field: "network.direction" + ignore_failure: true + - lowercase: + field: "network.type" + ignore_failure: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: 1 + igmp: 2 + ipv4: 4 + tcp: 6 + egp: 8 + igp: 9 + pup: 12 + udp: 17 + rdp: 27 + irtp: 28 + dccp: 33 + idpr: 35 + ipv6: 41 + ipv6-route: 43 + ipv6-frag: 44 + rsvp: 46 + gre: 47 + esp: 50 + ipv6-icmp: 58 + ipv6-nonxt: 59 + ipv6-opts: 60 + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + # + # Normalize event.outcome + # + - lowercase: + field: "event.outcome" + ignore_missing: true + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "est-allowed"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "permitted"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "allow"' + value: success + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "denied"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "deny"' + value: failure + - set: + field: "event.outcome" + if: 'ctx.event?.outcome == "dropped"' + value: failure + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # + # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string + # + - convert: + field: source.port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: destination.port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: network.bytes + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: source.packets + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: destination.packets + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.mapped_source_port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.mapped_destination_port + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.icmp_code + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: _temp_.cisco.icmp_type + type: integer + ignore_failure: true + ignore_missing: true + - convert: + field: http.response.status_code + type: integer + ignore_failure: true + - convert: + field: file.size + type: integer + ignore_failure: true + - convert: + field: network.iana_number + type: string + ignore_failure: true + ignore_missing: true + - convert: + field: sip.to.uri.port + type: integer + ignore_failure: true + # + # Assign ECS .ip fields from .address is a valid IP address is found, + # otherwise set .domain field. + # + - grok: + field: source.address + patterns: + - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" + ignore_failure: true + - grok: + field: destination.address + patterns: + - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" + ignore_failure: true + - grok: + field: client.address + patterns: + - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" + ignore_failure: true + - grok: + field: server.address + patterns: + - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" + ignore_failure: true + # + # Geolocation for source and destination addresses + # + - geoip: + field: "source.ip" + target_field: "source.geo" + ignore_missing: true + - geoip: + field: "destination.ip" + target_field: "destination.geo" + ignore_missing: true + # + # IP Autonomous System (AS) Lookup + # + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # + # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address. + # + - grok: + field: _temp_.natsrcip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" + ignore_failure: true + - grok: + field: _temp_.natdstip + patterns: + - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" + ignore_failure: true + # + # NAT fields + # + # The firewall always populates mapped ip and port even if there was no NAT. + # This populates both nat.ip and nat.port only when some translation is done. + # Fills nat.ip and nat.port even when only the ip or port changed. + - set: + field: source.nat.ip + value: "{{{_temp_.cisco.mapped_source_ip}}}" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + ignore_empty_value: true + - convert: + field: source.nat.ip + type: ip + ignore_missing: true + - set: + field: source.nat.port + value: "{{{_temp_.cisco.mapped_source_port}}}" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + ignore_empty_value: true + - convert: + field: source.nat.port + type: long + ignore_missing: true + - set: + field: destination.nat.ip + value: "{{{_temp_.cisco.mapped_destination_ip}}}" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + ignore_empty_value: true + - convert: + field: destination.nat.ip + type: ip + ignore_missing: true + - set: + field: destination.nat.port + value: "{{{_temp_.cisco.mapped_destination_port}}}" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + ignore_empty_value: true + - convert: + field: destination.nat.port + type: long + ignore_missing: true + # + # Zone-based Network Directionality + # + # If external and internal zones are specified and our ingress/egress zones are + # populated, then we can classify traffic directionality based off of our defined + # zones rather than the logs. + - set: + field: network.direction + value: inbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: internal + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: external + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.ingress?.zone != null && + ctx?.observer?.egress?.zone != null && + ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp_?.external_zones != null && + ctx?._temp_?.internal_zones != null && + ctx?.observer?.egress?.zone != null && + ctx?.observer?.ingress?.zone != null && + ( + ( + !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) + ) || + ( + !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && + !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) + ) + ) + + - set: + field: _temp_.url_domain + value: "{{{url.domain}}}" + ignore_failure: true + if: ctx?.url?.domain != null + + - uri_parts: + field: url.original + ignore_failure: true + if: ctx?.url?.original != null + - append: + field: url.domain + value: "{{{_temp_.url_domain}}}" + ignore_failure: true + allow_duplicates: false + if: ctx?._temp_?.url_domain != null + + # + # Populate ECS event.code + # + - rename: + field: _temp_.cisco.message_id + target_field: event.code + ignore_failure: true + - remove: + field: + - _temp_.cisco.message_id + - event.code + if: 'ctx._temp_.cisco.message_id == ""' + ignore_failure: true + # + # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. + # + - rename: + field: _temp_.cisco + target_field: "cisco.ftd" + ignore_failure: true + # + # Remove temporary fields + # + - remove: + field: _temp_ + ignore_missing: true + # + # Rename some 7.x fields + # + - rename: + field: cisco.ftd.list_id + target_field: cisco.ftd.rule_name + ignore_missing: true + # ECS categorization + - script: + lang: painless + params: + connection-finished: + kind: event + category: + - network + type: + - connection + - end + connection-started: + kind: event + category: + - network + type: + - connection + - start + file-detected: + kind: alert + category: + - malware + type: + - info + firewall-rule: + kind: event + category: + - network + type: + - info + flow-creation: + kind: event + category: + - network + type: + - connection + - start + flow-expiration: + kind: event + category: + - network + type: + - connection + - end + intrusion-detected: + kind: alert + category: + - intrusion_detection + type: + - info + malware-detected: + kind: event + category: + - malware + type: + - info + bypass: + kind: event + category: + - network + type: + - info + - change + error: + kind: event + outcome: failure + category: + - network + type: + - error + deleted: + kind: event + category: + - network + type: + - info + - deletion + - user + creation: + kind: event + category: + - network + type: + - info + - creation + - user + source: >- + if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + return; + } + ctx.event.kind = params.get(ctx.event.action).get('kind'); + ctx.event.category = params.get(ctx.event.action).get('category').clone(); + ctx.event.type = params.get(ctx.event.action).get('type').clone(); + if (ctx?.event?.outcome == null) { + return; + } + if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { + if (ctx.event.outcome == 'success') { + ctx.event.type.add('allowed'); + } + if (ctx.event.outcome == 'failure') { + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'block') { + ctx.event.outcome = 'success'; + ctx.event.type.add('denied'); + } + if (ctx.event.outcome == 'monitored') { + ctx.event.category.add('intrusion_detection'); + ctx.event.outcome = 'success'; + } + } + + # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. + - set: + if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + field: event.kind + value: alert + - append: + if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + field: event.category + value: file + + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{{destination.user.name}}}" + ignore_empty_value: true + if: ctx?.user?.name == null + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{{ host.hostname }}}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "idps" + ignore_empty_value: true + - set: + field: observer.product + value: "ftd" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{{ cisco.ftd.destination_interface }}}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{{ cisco.ftd.source_interface }}}" + ignore_empty_value: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: "ctx?.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{{source.nat.ip}}}" + if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{{destination.ip}}}" + if: "ctx?.destination?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{{destination.nat.ip}}}" + if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null && ctx?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{server.user.name}}}" + if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{source.user.name}}}" + if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + allow_duplicates: false + - append: + field: related.user + value: "{{{destination.user.name}}}" + if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + allow_duplicates: false + - append: + field: related.hash + value: "{{{file.hash.sha256}}}" + if: "ctx?.file?.hash?.sha256 != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{{host.hostname}}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{observer.hostname}}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{destination.domain}}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{source.domain}}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{source.user.domain}}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{{destination.user.domain}}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + allow_duplicates: false + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); + - community_id: + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + # Copy any fields under _temp_.cisco to its final destination. Those can help + # with diagnosing the failure. + - rename: + field: _temp_.cisco + target_field: "cisco.ftd" + ignore_failure: true + # Remove _temp_ to avoid adding a lot of unnecessary fields to the index. + - remove: + field: _temp_ + ignore_missing: true + - append: + field: "error.message" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.4.6/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.4.6/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..c867421bad --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_ftd +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_ftd.log diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.4.6/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..c63d98f18d --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/fields/ecs.yml @@ -0,0 +1,580 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.4.6/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..1472f59c52 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/fields/fields.yml @@ -0,0 +1,155 @@ +- name: cisco.ftd + type: group + fields: + - name: message_id + type: keyword + description: | + The Cisco FTD message identifier. + - name: suffix + type: keyword + description: | + Optional suffix after %FTD identifier. + - name: source_interface + type: keyword + description: | + Source interface for the flow or event. + - name: destination_interface + type: keyword + description: | + Destination interface for the flow or event. + - name: rule_name + type: keyword + description: | + Name of the Access Control List rule that matched this event. + - name: source_username + type: keyword + description: | + Name of the user that is the source for this event. + - name: destination_username + type: keyword + description: | + Name of the user that is the destination for this event. + - name: mapped_source_ip + type: ip + description: | + The translated source IP address. + - name: mapped_source_port + type: long + description: | + The translated source port. + - name: mapped_destination_ip + type: ip + description: | + The translated destination IP address. + - name: mapped_destination_port + type: long + description: | + The translated destination port. + - name: threat_level + type: keyword + description: | + Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. + - name: threat_category + type: keyword + description: | + Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. + - name: connection_id + type: keyword + description: | + Unique identifier for a flow. + - name: icmp_type + type: short + description: | + ICMP type. + - name: icmp_code + type: short + description: | + ICMP code. + - name: connection_type + type: keyword + description: | + The VPN connection type + - name: dap_records + type: keyword + description: | + The assigned DAP records + - name: mapped_destination_host + type: keyword + - name: username + type: keyword + - name: mapped_source_host + type: keyword + - name: command_line_arguments + default_field: false + type: keyword + description: | + The command line arguments logged by the local audit log + - name: assigned_ip + default_field: false + type: ip + description: | + The IP address assigned to a VPN client successfully connecting + - name: privilege.old + default_field: false + type: keyword + description: | + When a users privilege is changed this is the old value + - name: privilege.new + default_field: false + type: keyword + description: | + When a users privilege is changed this is the new value + - name: burst.object + default_field: false + type: keyword + description: | + The related object for burst warnings + - name: burst.id + default_field: false + type: keyword + description: | + The related rate ID for burst warnings + - name: burst.current_rate + default_field: false + type: keyword + description: | + The current burst rate seen + - name: burst.configured_rate + default_field: false + type: keyword + description: | + The current configured burst rate + - name: burst.avg_rate + default_field: false + type: keyword + description: | + The current average burst rate seen + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: | + The current configured average burst rate allowed + - name: burst.cumulative_count + default_field: false + type: keyword + description: | + The total count of burst rate hits since the object was created or cleared + - name: security + type: flattened + description: Cisco FTD security event fields. + - name: webvpn.group_name + type: keyword + default_field: false + description: | + The WebVPN group name the user belongs to + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) + + - name: termination_user + default_field: false + type: keyword + description: |- + AAA name of user requesting termination diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/manifest.yml b/packages/cisco_ftd/2.4.6/data_stream/log/manifest.yml new file mode 100755 index 0000000000..7831571093 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/manifest.yml @@ -0,0 +1,153 @@ +title: Cisco FTD logs +type: logs +streams: + - input: udp + title: Cisco FTD logs + description: Collect Cisco FTD logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP Port to listen on + multi: false + required: true + show_user: true + default: 9003 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco FTD logs + description: Collect Cisco FTD logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP Port to listen on + multi: false + required: true + show_user: true + default: 9003 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate: "/etc/server/cert.pem" + #key: "/etc/server/key.pem" + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. + - input: logfile + enabled: false + title: Cisco FTD logs + description: Collect Cisco FTD logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-ftd.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ftd + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco_ftd/2.4.6/data_stream/log/sample_event.json b/packages/cisco_ftd/2.4.6/data_stream/log/sample_event.json new file mode 100755 index 0000000000..fb0ff610fb --- /dev/null +++ b/packages/cisco_ftd/2.4.6/data_stream/log/sample_event.json @@ -0,0 +1,157 @@ +{ + "@timestamp": "2019-08-16T09:39:03.000Z", + "agent": { + "ephemeral_id": "cf085b8c-2652-446c-93ab-0426f7cb54d1", + "id": "c46e592b-7ede-4f31-9714-c3e0bc5c3213", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", + "protocol": "tcp", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "uri": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required" + }, + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + } + }, + "data_stream": { + "dataset": "cisco_ftd.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "c46e592b-7ede-4f31-9714-c3e0bc5c3213", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "malware-detected", + "agent_id_status": "verified", + "category": [ + "malware", + "file" + ], + "code": "430005", + "dataset": "cisco_ftd.log", + "ingested": "2022-10-05T00:03:15Z", + "kind": "alert", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "alert", + "source": { + "address": "192.168.240.4:50316" + } + }, + "network": { + "application": "curl", + "community_id": "1:jk2uwniJ2oCG0t73HeZ9w8gtA8E=", + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "firepower", + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ], + "user": [ + "No Authentication Required" + ] + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 + }, + "tags": [ + "preserve_original_event", + "cisco-ftd", + "forwarded" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" + }, + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } +} \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.6/docs/README.md b/packages/cisco_ftd/2.4.6/docs/README.md new file mode 100755 index 0000000000..577bd32488 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/docs/README.md @@ -0,0 +1,400 @@ +# Cisco FTD Integration + +This integration is for [Cisco](https://www.cisco.com/c/en/us/support/security/index.html) Firepower Threat Defence (FTD) device's logs. The package processes syslog messages from Cisco Firepower devices + +It includes the following datasets for receiving logs over syslog or read from a file: + +- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs. + +## Configuration + +Cisco provides a range of Firepower devices, which may have different configuration steps. We recommend users navigate to the device specific configuration page, and search for/go to the "FTD Logging" or "Configure Logging on FTD" page for the specific device. + +## Logs + +### FTD + +The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2019-08-16T09:39:03.000Z", + "agent": { + "ephemeral_id": "cf085b8c-2652-446c-93ab-0426f7cb54d1", + "id": "c46e592b-7ede-4f31-9714-c3e0bc5c3213", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "cisco": { + "ftd": { + "rule_name": "malware-and-file-policy", + "security": { + "application_protocol": "HTTP", + "client": "cURL", + "dst_ip": "81.2.69.144", + "dst_port": "80", + "file_action": "Malware Cloud Lookup", + "file_direction": "Download", + "file_name": "eicar_com.zip", + "file_policy": "malware-and-file-policy", + "file_sandbox_status": "File Size Is Too Small", + "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad", + "file_size": "184", + "file_storage_status": "Not Stored (Disposition Was Pending)", + "file_type": "ZIP", + "first_packet_second": "2019-08-16T09:39:02Z", + "protocol": "tcp", + "sha_disposition": "Unavailable", + "spero_disposition": "Spero detection not performed on file", + "src_ip": "10.0.1.20", + "src_port": "46004", + "threat_name": "Win.Ransomware.Eicar::95.sbx.tg", + "uri": "http://www.eicar.org/download/eicar_com.zip", + "user": "No Authentication Required" + }, + "threat_category": "Win.Ransomware.Eicar::95.sbx.tg" + } + }, + "data_stream": { + "dataset": "cisco_ftd.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "81.2.69.144", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "c46e592b-7ede-4f31-9714-c3e0bc5c3213", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "malware-detected", + "agent_id_status": "verified", + "category": [ + "malware", + "file" + ], + "code": "430005", + "dataset": "cisco_ftd.log", + "ingested": "2022-10-05T00:03:15Z", + "kind": "alert", + "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip", + "severity": 1, + "start": "2019-08-16T09:39:02Z", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + }, + "name": "eicar_com.zip", + "size": 184 + }, + "host": { + "hostname": "firepower" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "alert", + "source": { + "address": "192.168.240.4:50316" + } + }, + "network": { + "application": "curl", + "community_id": "1:jk2uwniJ2oCG0t73HeZ9w8gtA8E=", + "iana_number": "6", + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "hostname": "firepower", + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hash": [ + "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" + ], + "hosts": [ + "firepower" + ], + "ip": [ + "10.0.1.20", + "81.2.69.144" + ], + "user": [ + "No Authentication Required" + ] + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20", + "port": 46004 + }, + "tags": [ + "preserve_original_event", + "cisco-ftd", + "forwarded" + ], + "url": { + "domain": "www.eicar.org", + "extension": "zip", + "original": "http://www.eicar.org/download/eicar_com.zip", + "path": "/download/eicar_com.zip", + "scheme": "http" + }, + "user": { + "id": "No Authentication Required", + "name": "No Authentication Required" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | +| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | +| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | +| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword | +| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword | +| cisco.ftd.burst.current_rate | The current burst rate seen | keyword | +| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword | +| cisco.ftd.burst.object | The related object for burst warnings | keyword | +| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword | +| cisco.ftd.connection_id | Unique identifier for a flow. | keyword | +| cisco.ftd.connection_type | The VPN connection type | keyword | +| cisco.ftd.dap_records | The assigned DAP records | keyword | +| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword | +| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword | +| cisco.ftd.icmp_code | ICMP code. | short | +| cisco.ftd.icmp_type | ICMP type. | short | +| cisco.ftd.mapped_destination_host | | keyword | +| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip | +| cisco.ftd.mapped_destination_port | The translated destination port. | long | +| cisco.ftd.mapped_source_host | | keyword | +| cisco.ftd.mapped_source_ip | The translated source IP address. | ip | +| cisco.ftd.mapped_source_port | The translated source port. | long | +| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword | +| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword | +| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword | +| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword | +| cisco.ftd.security | Cisco FTD security event fields. | flattened | +| cisco.ftd.source_interface | Source interface for the flow or event. | keyword | +| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword | +| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword | +| cisco.ftd.termination_user | AAA name of user requesting termination | keyword | +| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword | +| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword | +| cisco.ftd.tunnel_type | SA type (remote access or L2L) | keyword | +| cisco.ftd.username | | keyword | +| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.status_code | HTTP response status code. | long | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + diff --git a/packages/cisco_ftd/2.4.6/img/cisco.svg b/packages/cisco_ftd/2.4.6/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_ftd/2.4.6/manifest.yml b/packages/cisco_ftd/2.4.6/manifest.yml new file mode 100755 index 0000000000..391b832752 --- /dev/null +++ b/packages/cisco_ftd/2.4.6/manifest.yml @@ -0,0 +1,34 @@ +format_version: 1.0.0 +name: cisco_ftd +title: Cisco FTD +version: "2.4.6" +license: basic +description: Collect logs from Cisco FTD with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_ftd + title: Cisco FTD logs + description: Collect logs from Cisco FTD instances + inputs: + - type: tcp + title: Collect logs from Cisco FTD via TCP + description: Collecting logs from Cisco FTD via TCP + - type: udp + title: Collect logs from Cisco FTD via UDP + description: Collecting logs from Cisco FTD via UDP + - type: logfile + title: Collect logs from Cisco FTD via file + description: Collecting logs from Cisco FTD via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_ios/1.9.3/LICENSE.txt b/packages/cisco_ios/1.9.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_ios/1.9.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ios/1.9.3/changelog.yml b/packages/cisco_ios/1.9.3/changelog.yml new file mode 100755 index 0000000000..1acc2a7e8c --- /dev/null +++ b/packages/cisco_ios/1.9.3/changelog.yml @@ -0,0 +1,109 @@ +# newer versions go on top +- version: "1.9.3" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "1.9.2" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "1.9.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.9.0" + changes: + - description: Handle ASR Log Format. + type: enhancement + link: https://github.com/elastic/integrations/pull/3694 +- version: "1.8.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3842 +- version: "1.7.2" + changes: + - description: Improve TCP, SSL config description and example. + type: enhancement + link: https://github.com/elastic/integrations/pull/3763 +- version: "1.7.1" + changes: + - description: update readme file - added link to cisco documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/2932 +- version: "1.7.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.6.0" + changes: + - description: Add TLS system test + type: enhancement + link: https://github.com/elastic/integrations/pull/3338 + - description: Add TCP input with TLS support + type: enhancement + link: https://github.com/elastic/integrations/pull/3314 +- version: "1.5.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "1.4.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.4.1" + changes: + - description: Add missing event.original mapping + type: bugfix + link: https://github.com/elastic/integrations/pull/2636 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2392 +- version: "1.3.0" + changes: + - description: Add syslog header and timestamp parsing. + type: enhancement + link: https://github.com/elastic/integrations/pull/2475 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2279 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1955 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1807 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1784 +- version: "1.0.0" + changes: + - description: Initial version of Cisco IOS as separate package + type: enhancement + link: https://github.com/elastic/integrations/pull/1582 diff --git a/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..eac70741c1 --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,26 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..4a401c1add --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,27 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f0f20354c1 --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,22 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/1.9.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..74d2929aff --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,301 @@ +--- +description: Pipeline for Cisco IOS logs. + +processors: + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.category + value: network + - set: + field: event.provider + value: firewall + - set: + field: event.type + value: info + + - set: + field: event.original + copy_from: message + override: false + - remove: + field: message + ignore_missing: true + - dissect: + field: event.original + pattern: '%{_temp_.header} %%{message}' + - grok: + field: _temp_.header + patterns: + - '^<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER:cisco.ios.message_count}?: (?:%{SYSLOGHOST:log.syslog.hostname}: )?(?:%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}|%{NOTSPACE:cisco.ios.uptime}:)' + - '%{SYSLOGHOST:log.syslog.hostname} (%{NUMBER:cisco.ios.sequence}: )?%{CISCO_TIMESTAMP:_temp_.cisco_timestamp}' + pattern_definitions: + CISCO_TIMESTAMP: '%{CISCOTIMESTAMP}(?: %{TZ})?' + ignore_failure: true + - set: + field: event.sequence + copy_from: cisco.ios.sequence + if: ctx.cisco?.ios?.sequence != null + - convert: + field: cisco.ios.message_count + type: long + ignore_failure: true + - set: + field: event.sequence + copy_from: cisco.ios.message_count + if: ctx.cisco?.ios?.message_count != null && ctx.event?.sequence == null + ignore_failure: true + - gsub: + description: Remove double spacing from the date. + field: _temp_.cisco_timestamp + ignore_missing: true + pattern: ' {2,}' + replacement: ' ' + - set: + field: _conf.tz_offset + value: UTC + override: false + - date: + if: ctx?._temp_.cisco_timestamp != null + field: _temp_.cisco_timestamp + formats: + - "MMM d yyyy HH:mm:ss.SSS z" + - "MMM d yyyy HH:mm:ss.SSS" + - "MMM d yyyy HH:mm:ss z" + - "MMM d yyyy HH:mm:ss" + + # Repeat without year. + - "MMM d HH:mm:ss.SSS z" + - "MMM d HH:mm:ss.SSS" + - "MMM d HH:mm:ss z" + - "MMM d HH:mm:ss" + timezone: '{{{_conf.tz_offset}}}' + - grok: + field: message + patterns: + - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:message}" + - convert: + field: event.severity + type: long + ignore_missing: true + - convert: + field: event.sequence + type: long + ignore_missing: true + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet" + if: "['IPACCESSLOGP', 'ACCESSLOGP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{icmp.type}/%{icmp.code}), %{source.packets} packet" + if: "['IPACCESSLOGDP', 'ACCESSLOGDP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address}, %{source.packets} packet" + if: "ctx.event?.code == 'IPACCESSLOGRP'" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address} %{} %{destination.address} (%{igmp.type}), %{source.packets} packet" + if: "['IPACCESSLOGSP', 'ACCESSLOGSP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet" + if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)" + - dissect: + field: message + pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}" + if: "ctx.event?.code == 'LOGIN_SUCCESS'" + - dissect: + field: message + pattern: "User %{source.user.name} has %{cisco.ios.action} %{cisco.ios.session.type} session %{cisco.ios.session.number}(%{source.address})" + if: "ctx.event?.code == 'LOGOUT'" + - grok: + field: message + patterns: + - 'Received \(%{PIM_SOURCE}, %{DATA:cisco.ios.pim.group.ip}\) %{WORD:cisco.ios.action} from %{IP:source.address} for %{DATA:cisco.ios.outcome} %{IP:destination.address}' + pattern_definitions: + PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) + if: "ctx.event?.code == 'INVALID_RP_JOIN'" + - set: + field: event.action + value: "multicast-join" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: event.outcome + value: "failure" + if: ctx.event?.code == "INVALID_RP_JOIN" + - set: + field: event.reason + value: "Invalid RP" + if: ctx.event?.code == "INVALID_RP_JOIN" + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_failure: true + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_failure: true + - convert: + field: cisco.ios.pim.source.ip + type: ip + ignore_missing: true + - convert: + field: source.port + type: long + ignore_missing: true + - convert: + field: source.packets + type: long + ignore_missing: true + - convert: + field: destination.port + type: long + ignore_missing: true + - set: + field: network.packets + copy_from: source.packets + if: ctx.source?.packets != null + - set: + field: network.type + value: ipv4 + if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" + - set: + field: network.type + value: ipv6 + if: "ctx.source?.ip != null && ctx.network?.type == null" + - set: + field: event.action + value: deny + if: "ctx._temp_?.event?.action == 'denied'" + - set: + field: event.type + value: denied + if: "ctx.event?.action == 'deny'" + - set: + field: event.action + value: allow + if: "ctx._temp_?.event?.action == 'permitted'" + - set: + field: event.type + value: allowed + if: "ctx.event?.action == 'allow'" + - set: + field: "log.level" + if: "ctx.event.severity == 0" + value: emergencies + - set: + field: "log.level" + if: "ctx.event.severity == 1" + value: alert + - set: + field: "log.level" + if: "ctx.event.severity == 2" + value: critical + - set: + field: "log.level" + if: "ctx.event.severity == 3" + value: error + - set: + field: "log.level" + if: "ctx.event.severity == 4" + value: warning + - set: + field: "log.level" + if: "ctx.event.severity == 5" + value: notification + - set: + field: "log.level" + if: "ctx.event.severity == 6" + value: informational + - set: + field: "log.level" + if: "ctx.event.severity == 7" + value: debug + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + - append: + field: related.ip + value: "{{{source.ip}}}" + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{{destination.ip}}}" + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.user + value: "{{{source.user.name}}}" + allow_duplicates: false + if: ctx.source?.user?.name != null + - community_id: + ignore_missing: true + ignore_failure: true + - remove: + field: + - _temp_ + - _conf + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + +on_failure: + - remove: + field: + - _temp_ + - _conf + ignore_missing: true + - set: + field: error.message + value: "processor {{{ _ingest.on_failure_processor_type}}}: {{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_ios/1.9.3/data_stream/log/fields/agent.yml b/packages/cisco_ios/1.9.3/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..32d10234f9 --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/fields/agent.yml @@ -0,0 +1,216 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: elastic.agent.id + type: keyword +- name: elastic.agent.snapshot + type: boolean +- name: elastic.agent.version + type: keyword +- name: input.type + type: keyword +- name: log.offset + type: long +- name: log.source.address + type: keyword +- name: hostname + type: keyword + description: Hostname from syslog header. +- name: process.program + type: keyword + description: Process from syslog header. diff --git a/packages/cisco_ios/1.9.3/data_stream/log/fields/base-fields.yml b/packages/cisco_ios/1.9.3/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..2af9255d83 --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_ios +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_ios.log diff --git a/packages/cisco_ios/1.9.3/data_stream/log/fields/ecs.yml b/packages/cisco_ios/1.9.3/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..434bdb36b5 --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/fields/ecs.yml @@ -0,0 +1,246 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long diff --git a/packages/cisco_ios/1.9.3/data_stream/log/fields/fields.yml b/packages/cisco_ios/1.9.3/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..1eac30828a --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/fields/fields.yml @@ -0,0 +1,65 @@ +- name: cisco.ios + type: group + fields: + - name: access_list + type: keyword + description: | + Name of the IP access list. + - name: action + type: keyword + description: | + Action taken by the device + - name: facility + type: keyword + description: | + The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. + - name: pim + type: group + fields: + - name: group + type: group + fields: + - name: ip + type: ip + description: Multicast group IP + - name: source + type: group + fields: + - name: ip + type: ip + description: Multicast source IP + - name: outcome + type: keyword + description: The result of the event + - name: sequence + type: keyword + description: Sequence number provided by the device when the device's service sequence-numbers global configuration is set. + - name: message_count + type: long + description: Message count number provided by the device when the device's service message-counter global configuration is set. + - name: session + type: group + description: Fields for Session information + fields: + - name: number + type: integer + description: Session ID + - name: type + type: keyword + example: tty + description: Session type + - name: uptime + type: keyword + description: The uptime for the device. +- name: icmp.code + type: keyword + description: ICMP code. +- name: icmp.type + type: keyword + description: ICMP type. +- name: igmp.type + type: keyword + description: IGMP type. +- name: log.syslog.hostname + type: keyword + description: Hostname parsed from syslog header. diff --git a/packages/cisco_ios/1.9.3/data_stream/log/manifest.yml b/packages/cisco_ios/1.9.3/data_stream/log/manifest.yml new file mode 100755 index 0000000000..de5d50174a --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/manifest.yml @@ -0,0 +1,176 @@ +title: Cisco IOS logs +type: logs +streams: + - input: udp + title: Cisco IOS logs + description: Collect Cisco IOS logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: syslog_host + type: text + title: Host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9002 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: true + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco IOS logs + description: Collect Cisco IOS logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: syslog_host + type: text + title: Host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9002 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: true + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate, keys, supported_protocols, verification_mode etc. See [SSL](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate: "/etc/server/cert.pem" + #key: "/etc/server/key.pem" + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. + - input: logfile + enabled: false + title: Cisco IOS logs + description: Collect Cisco IOS logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-ios.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-ios + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: true + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_ios/1.9.3/data_stream/log/sample_event.json b/packages/cisco_ios/1.9.3/data_stream/log/sample_event.json new file mode 100755 index 0000000000..8c6e38575d --- /dev/null +++ b/packages/cisco_ios/1.9.3/data_stream/log/sample_event.json @@ -0,0 +1,60 @@ +{ + "@timestamp": "2022-01-06T20:52:12.861Z", + "agent": { + "ephemeral_id": "4bd1343d-9dcb-41b1-acc2-0c9242506d4d", + "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "cisco": { + "ios": { + "facility": "SYS", + "message_count": 2360957 + } + }, + "data_stream": { + "dataset": "cisco_ios.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "code": "CONFIG_I", + "dataset": "cisco_ios.log", + "ingested": "2022-08-08T05:05:27Z", + "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", + "provider": "firewall", + "sequence": 2360957, + "severity": 5, + "timezone": "+00:00", + "type": "info" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "notification", + "source": { + "address": "172.26.0.4:57514" + }, + "syslog": { + "priority": 189 + } + }, + "message": "Configured from console by akroh on vty0 (10.100.11.10)", + "tags": [ + "preserve_original_event", + "cisco-ios", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco_ios/1.9.3/docs/README.md b/packages/cisco_ios/1.9.3/docs/README.md new file mode 100755 index 0000000000..4225296027 --- /dev/null +++ b/packages/cisco_ios/1.9.3/docs/README.md @@ -0,0 +1,198 @@ +# Cisco IOS Integration + +This integration is for [Cisco IOS network devices'](https://developer.cisco.com/docs/) logs. It includes the following +datasets for receiving logs over syslog or read from a file: + +## Log Configuration + +The Cisco appliance may be [configured in a variety of ways](https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html) to include or exclude fields. The Cisco IOS Integration expects the host name and timestamp to be present. If the `sequence-number` is configured to be present it will be used to populate `event.sequence`. If it is not, but `message-count` is configured to be present that field will be used in its place. + +### IOS + +The `log` dataset collects the Cisco IOS router and switch logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-01-06T20:52:12.861Z", + "agent": { + "ephemeral_id": "4bd1343d-9dcb-41b1-acc2-0c9242506d4d", + "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "cisco": { + "ios": { + "facility": "SYS", + "message_count": 2360957 + } + }, + "data_stream": { + "dataset": "cisco_ios.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "9e9a5067-5380-4f64-9fb0-e004f4733651", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "code": "CONFIG_I", + "dataset": "cisco_ios.log", + "ingested": "2022-08-08T05:05:27Z", + "original": "\u003c189\u003e2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)", + "provider": "firewall", + "sequence": 2360957, + "severity": 5, + "timezone": "+00:00", + "type": "info" + }, + "input": { + "type": "tcp" + }, + "log": { + "level": "notification", + "source": { + "address": "172.26.0.4:57514" + }, + "syslog": { + "priority": 189 + } + }, + "message": "Configured from console by akroh on vty0 (10.100.11.10)", + "tags": [ + "preserve_original_event", + "cisco-ios", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco.ios.access_list | Name of the IP access list. | keyword | +| cisco.ios.action | Action taken by the device | keyword | +| cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | +| cisco.ios.message_count | Message count number provided by the device when the device's service message-counter global configuration is set. | long | +| cisco.ios.outcome | The result of the event | keyword | +| cisco.ios.pim.group.ip | Multicast group IP | ip | +| cisco.ios.pim.source.ip | Multicast source IP | ip | +| cisco.ios.sequence | Sequence number provided by the device when the device's service sequence-numbers global configuration is set. | keyword | +| cisco.ios.session.number | Session ID | integer | +| cisco.ios.session.type | Session type | keyword | +| cisco.ios.uptime | The uptime for the device. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| elastic.agent.id | | keyword | +| elastic.agent.snapshot | | boolean | +| elastic.agent.version | | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| hostname | Hostname from syslog header. | keyword | +| icmp.code | ICMP code. | keyword | +| icmp.type | ICMP type. | keyword | +| igmp.type | IGMP type. | keyword | +| input.type | | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | | long | +| log.source.address | | keyword | +| log.syslog.hostname | Hostname parsed from syslog header. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| process.program | Process from syslog header. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cisco_ios/1.9.3/img/cisco.svg b/packages/cisco_ios/1.9.3/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_ios/1.9.3/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_ios/1.9.3/manifest.yml b/packages/cisco_ios/1.9.3/manifest.yml new file mode 100755 index 0000000000..6858fc444c --- /dev/null +++ b/packages/cisco_ios/1.9.3/manifest.yml @@ -0,0 +1,34 @@ +format_version: 1.0.0 +name: cisco_ios +title: Cisco IOS +version: "1.9.3" +license: basic +description: Collect logs from Cisco IOS with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_ios + title: Cisco IOS logs + description: Collect logs from Cisco IOS instances + inputs: + - type: tcp + title: Collect logs from Cisco IOS via TCP + description: Collecting logs from Cisco IOS via TCP + - type: udp + title: Collect logs from Cisco IOS via UDP + description: Collecting logs from Cisco IOS via UDP + - type: logfile + title: Collect logs from Cisco IOS via file + description: Collecting logs from Cisco IOS via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_ise/1.1.1/LICENSE.txt b/packages/cisco_ise/1.1.1/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_ise/1.1.1/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_ise/1.1.1/changelog.yml b/packages/cisco_ise/1.1.1/changelog.yml new file mode 100755 index 0000000000..2775d36506 --- /dev/null +++ b/packages/cisco_ise/1.1.1/changelog.yml @@ -0,0 +1,31 @@ +# newer versions go on top +- version: "1.1.1" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "1.1.0" + changes: + - description: Allow non-numeric task ID fields to be ingested + type: enhancement + link: https://github.com/elastic/integrations/pull/4087 +- version: "1.0.0" + changes: + - description: Make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/3859 +- version: "0.3.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3842 +- version: "0.2.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/2855 diff --git a/packages/cisco_ise/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ise/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..bc587e50a3 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,18 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_ise/1.1.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ise/1.1.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..deaa10ff90 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,15 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..c9e46cb7cf --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,139 @@ +--- +description: Pipeline for Cisco ISE logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{DATA:cisco_ise.log.segment.total:long} %{DATA:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$" + - trim: + field: message + ignore_failure: true + - convert: + field: host.hostname + target_field: host.ip + type: ip + ignore_failure: true + - remove: + field: host.hostname + if: ctx?.host?.ip != null + - append: + field: related.ip + value: '{{{host.ip}}}' + if: ctx?.host?.ip != null + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx?.host?.hostname != null + ignore_failure: true + - rename: + field: _tmp.timezone + target_field: event.timezone + ignore_missing: true + - date: + field: _tmp.timestamp + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + ignore_failure: true + - date: + if: ctx?.event?.timezone != null + field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - pipeline: + name: '{{ IngestPipeline "pipeline_policy_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Policy_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_guest" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Guest" + - pipeline: + name: '{{ IngestPipeline "pipeline_mydevices" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_MyDevices" + - pipeline: + name: '{{ IngestPipeline "pipeline_internal_operations_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Internal_Operations_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_threat_centric_nac" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Threat_Centric_NAC" + - pipeline: + name: '{{ IngestPipeline "pipeline_posture_and_client_provisioning_audit" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Posture_and_Client_Provisioning_Audit" + - pipeline: + name: '{{ IngestPipeline "pipeline_radius_accounting" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_RADIUS_Accounting" + - pipeline: + name: '{{ IngestPipeline "pipeline_failed_attempts" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Failed_Attempts" + - pipeline: + name: '{{ IngestPipeline "pipeline_passed_authentications" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Passed_Authentications" + - pipeline: + name: '{{ IngestPipeline "pipeline_radius_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_RADIUS_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_ad_connector" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_AD_Connector" + - pipeline: + name: '{{ IngestPipeline "pipeline_authentication_flow_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Authentication_Flow_Diagnostics" + - pipeline: + name: '{{ IngestPipeline "pipeline_administrative_and_operational_audit" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Administrative_and_Operational_Audit" + - pipeline: + name: '{{ IngestPipeline "pipeline_system_statistics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_System_Statistics" + - pipeline: + name: '{{ IngestPipeline "pipeline_tacacs_accounting" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_TACACS_Accounting" + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_stores_diagnostics" }}' + if: ctx?.cisco_ise?.log?.category?.name == "CISE_Identity_Stores_Diagnostics" + - lowercase: + field: log.syslog.severity.name + ignore_failure: true + - set: + field: log.level + copy_from: log.syslog.severity.name + ignore_empty_value: true + - remove: + field: + - _tmp + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- set: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml new file mode 100755 index 0000000000..ed7649cf50 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_ad_connector.yml @@ -0,0 +1,139 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - trim: + field: cisco_ise.log.log_details + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["25012","25013","25015","25016","25017","25018","25033"], "name": "authentication"], + ["messageCodeArray": ["25037","25041","25046","25058"], "name": "configuration"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["25012","25013","25015","25016","25017","25018","25033","25037","25041","25046","25058"], "name": "info"], + ["messageCodeArray": ["25012","25018","51020","51021"], "name": "end"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.category = eventCategory; + ctx.event.type = eventType; + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - gsub: + field: cisco_ise.log.log_details + pattern: \\, + replacement: "" + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: AD-Admin + target_field: cisco_ise.log.ad.admin + ignore_missing: true + - rename: + field: AD-Domain + target_field: cisco_ise.log.ad.domain.name + ignore_missing: true + - rename: + field: AD-Domain-Controller + target_field: cisco_ise.log.ad.domain.controller + ignore_missing: true + - rename: + field: AD-Error-Details + target_field: cisco_ise.log.ad.error.details + ignore_missing: true + - rename: + field: AD-Forest + target_field: cisco_ise.log.ad.forest + ignore_missing: true + - rename: + field: AD-Hostname + target_field: cisco_ise.log.ad.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{cisco_ise.log.ad.hostname}}}' + if: ctx?.cisco_ise?.log?.ad?.hostname != null + allow_duplicates: false + ignore_failure: true + - convert: + field: AD-IP-Address + target_field: cisco_ise.log.ad.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.ad.ip}}}' + if: ctx?.cisco_ise?.log?.ad?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AD-Log-Id + target_field: cisco_ise.log.ad.log_id + ignore_missing: true + - rename: + field: AD-Organization-Unit + target_field: cisco_ise.log.ad.organization_unit + ignore_missing: true + - rename: + field: AD-Site + target_field: cisco_ise.log.ad.site + ignore_missing: true + - rename: + field: AD-Log + target_field: cisco_ise.log.ad.log + ignore_failure: true + - rename: + field: AD-Srv-Query + target_field: cisco_ise.log.ad.srv.query + ignore_failure: true + - rename: + field: AD-Srv-Record + target_field: cisco_ise.log.ad.srv.record + ignore_failure: true + - remove: + field: + - AD-IP-Address + - ConfigVersionId + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml new file mode 100755 index 0000000000..8c8e808614 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml @@ -0,0 +1,340 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "60067" + ignore_failure: true + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, OperationMessageText={%{DATA:OperationMessageText}}" + - grok: + field: cisco_ise.log.log_details + if: '["61025", "61026"].contains(ctx?.cisco_ise?.log?.message?.code)' + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, , OperationMessageText=%{DATA:OperationMessageText}, AcsInstance=%{GREEDYDATA:AcsInstance}" + on_failure: + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, FailureFlag=%{DATA:FailureFlag}, RequestResponseType=%{DATA:RequestResponseType}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, AdminName=%{DATA:AdminName}, %{GREEDYDATA:log_detail}" + - grok: + field: log_detail + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + patterns: + - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, Component=%{DATA:Component}, ObjectInternalID=%{GREEDYDATA:ObjectInternalID}" + - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, OperationMessageText=%{GREEDYDATA:OperationMessageText}" + - "ObjectType=%{DATA:ObjectType}, ObjectName=%{DATA:ObjectName}, Component=%{DATA:Component}, ObjectInternalID=%{GREEDYDATA:ObjectInternalID}" + - "ConfigChangeData=%{DATA:ConfigChangeData}, ObjectType=%{DATA:ObjectType}, ObjectName=%{GREEDYDATA:ObjectName}" + - grok: + field: ConfigChangeData + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + patterns: + - "^%{DATA:_tmp.temp}, Log Severity Level = %{DATA:LogSeverityLevel}\\\\,Local Logging = %{DATA:LocalLogging}\\\\,Assigned Targets = {%{DATA:AssignedTargets}}" + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "52002" + ignore_failure: true + patterns: + - "ConfigVersionId=%{DATA:ConfigVersionId}, AdminInterface=%{DATA:AdminInterface}, AdminIPAddress=%{DATA:AdminIPAddress}, %{GREEDYDATA:log_detail}" + - grok: + field: log_detail + if: ctx?.cisco_ise?.log?.message?.code == "52002" + ignore_failure: true + patterns: + - "AdminSession=%{DATA:AdminSession}, AdminName=%{DATA:AdminName}, ConfigChangeData=%{GREEDYDATA:ConfigChangeData}" + - "AdminName=%{DATA:AdminName}, ConfigChangeData=%{GREEDYDATA:ConfigChangeData}" + - "AdminName=%{DATA:AdminName}, %{GREEDYDATA:log_description}" + on_failure: + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + - kv: + field: log_description + field_split: ', ' + value_split: = + ignore_failure: true + - grok: + field: ConfigChangeData + if: ctx?.cisco_ise?.log?.message?.code == "52002" + ignore_failure: true + patterns: + - "^%{DATA:_tmp.temp}, %{GREEDYDATA:_tmp.ConfigChangeData}" + - kv: + field: _tmp.ConfigChangeData + if: ctx?.cisco_ise?.log?.message?.code == "52002" + field_split: ', ' + value_split: = + ignore_failure: true + - kv: + if: '!["60067", "61025", "61026", "52001", "52002"].contains(ctx.cisco_ise.log.message.code)' + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - kv: + if: ctx?.cisco_ise?.log?.message?.code == "60067" + field: OperationMessageText + field_split: ', ' + value_split: = + ignore_failure: true + - split: + field: AssignedTargets + target_field: cisco_ise.log.assigned_targets + separator: ',' + if: ctx?.cisco_ise?.log?.message?.code == "52001" + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60077","60078","60461","61077","60077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "iam"], + ["messageCodeArray": ["51001","51002","51020","51021","60077","60078","61077", "60077","60188","60116","60080","60115","60081"], "name": "authentication"], + ["messageCodeArray": ["61025","61026","60134"], "name": "network"], + ["messageCodeArray": ["60067","60070","60456","58005"], "name": "process"], + ["messageCodeArray": ["52000","52001","52002"], "name": "configuration"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["51001","51002","51020","51021"], "name": "admin"], + ["messageCodeArray": ["52001"], "name": "change"], + ["messageCodeArray": ["61025", "61026"], "name": "connection"], + ["messageCodeArray": ["52000"], "name": "creation"], + ["messageCodeArray": ["52002"], "name": "deletion"], + ["messageCodeArray": ["61026"], "name": "end"], + ["messageCodeArray": ["60116","60080","60115","60081"], "name": "user"], + ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60067","60070","60077","60078","60456","60461","61025","61026","61077","60077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "info"], + ["messageCodeArray": ["60067","60456","61025"], "name": "start"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - rename: + field: AcsInstance + target_field: cisco_ise.log.acs.instance + ignore_missing: true + - rename: + field: AdminInterface + target_field: cisco_ise.log.admin.interface + ignore_missing: true + - rename: + field: AdminIPAddress + target_field: client.ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AdminName + target_field: client.user.name + ignore_missing: true + - append: + field: related.user + value: '{{{client.user.name}}}' + if: ctx?.client?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AdminSession + target_field: cisco_ise.log.admin.session + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: ConfigChangeData + target_field: cisco_ise.log.config_change.data + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: Component + target_field: cisco_ise.log.component + ignore_missing: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - rename: + field: FailureReason + target_field: cisco_ise.log.failure.reason + ignore_missing: true + - convert: + field: FailureFlag + target_field: cisco_ise.log.failure.flag + type: boolean + ignore_failure: true + - rename: + field: LocalLogging + target_field: cisco_ise.log.local_logging + ignore_missing: true + - rename: + field: LogSeverityLevel + target_field: log.syslog.severity.name + if: ctx?.log?.syslog?.severity?.name == null + ignore_missing: true + - rename: + field: LogErrorMessage + target_field: cisco_ise.log.log_error.message + ignore_missing: true + - rename: + field: LoggerName + target_field: log.logger + ignore_missing: true + - rename: + field: MessageCode + target_field: cisco_ise.log.message.code + ignore_missing: true + - rename: + field: FeedServiceFeed + target_field: cisco_ise.log.feed_service.feed.name + ignore_missing: true + - rename: + field: FeedServiceFeedVersion + target_field: cisco_ise.log.feed_service.feed.version + ignore_missing: true + - rename: + field: FeedServiceHost + target_field: cisco_ise.log.feed_service.host + ignore_missing: true + - rename: + field: FeedServicePort + target_field: cisco_ise.log.feed_service.port + ignore_missing: true + - date: + field: FeedServiceQueryToTime + target_field: cisco_ise.log.feed_service.query.to_time + formats: + - ISO8601 + ignore_failure: true + - date: + field: FeedServiceQueryFromTime + target_field: cisco_ise.log.feed_service.query.from_time + formats: + - ISO8601 + ignore_failure: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: IpAddress + target_field: host.ip + ignore_missing: true + - append: + field: related.ip + value: '{{{host.ip}}}' + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: ObjectName + target_field: cisco_ise.log.object.name + ignore_missing: true + - rename: + field: ObjectInternalID + target_field: cisco_ise.log.object.internal.id + ignore_missing: true + - rename: + field: ObjectType + target_field: cisco_ise.log.object.type + ignore_missing: true + - rename: + field: OperationMessageText + target_field: cisco_ise.log.operation_message.text + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - append: + field: related.hosts + value: '{{{PsnHostName}}}' + if: ctx?.PsnHostName != null && ctx?.PsnHostName != '' + allow_duplicates: false + ignore_failure: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - rename: + field: RequestResponseType + target_field: cisco_ise.log.request_response.type + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_missing: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - AssignedTargets + - ConfigVersionId + - FailureFlag + - FeedServiceQueryFromTime + - FeedServiceQueryToTime + - LogSeverityLevel + - ResponseTime + - log_detail + - log_description + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml new file mode 100755 index 0000000000..9e5648b26f --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication_flow_diagnostics.yml @@ -0,0 +1,166 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - '%{GREEDYDATA:cisco_ise.log.log_details},' + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(["iam"]); + def categoryReferenceTable = [ + ["messageCodeArray": ["22040","22057","22061","22060","22037"], "name": "authentication"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.selected.authentication.identity_stores + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: CurrentIDStoreName + target_field: cisco_ise.log.currentid.store_name + ignore_missing: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: "{{{DestinationIPAddress}}}" + if: ctx?.DestinationIPAddress != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - convert: + field: WorkflowCurrentIDStoreIndex + target_field: cisco_ise.log.workflow.current_id.store_index + type: long + ignore_failure: true + - rename: + field: WorkflowIfAuthenticationFailed + target_field: cisco_ise.log.workflow.if.authentication_failed + ignore_missing: true + - rename: + field: WorkflowIfProcessError + target_field: cisco_ise.log.workflow.if.process_error + ignore_missing: true + - rename: + field: WorkflowIfUserNotFound + target_field: cisco_ise.log.workflow.if.user_not_found + ignore_missing: true + - rename: + field: WorkflowSequenceType + target_field: cisco_ise.log.workflow.sequence.type + ignore_missing: true + - remove: + field: + - ConfigVersionId + - DestinationIPAddress + - NAS-IP-Address + - OriginalUserName + - Response + - UserName + - WorkflowCurrentIDStoreIndex + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml new file mode 100755 index 0000000000..5700ac03fd --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_failed_attempts.yml @@ -0,0 +1,424 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["5405","5411","5418","5435","5400","5440"], "name": "authentication"], + ["messageCodeArray": ["5440"], "name": "session"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["5405","5411","5418","5435","5400","5440"], "name": "info"], + ["messageCodeArray": ["5405","5411","5418","5435"], "name": "end"], + ["messageCodeArray": ["5440"], "name": "start"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - rename: + field: acme-av-pair.audit-session-id + target_field: cisco_ise.log.acme-av-pair.audit-session-id + ignore_missing: true + - rename: + field: acme-av-pair.service-type + target_field: cisco_ise.log.acme-av-pair.service-type + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: ADDomain + target_field: cisco_ise.log.ad.domain.name + ignore_missing: true + - rename: + field: AllowedProtocolMatchedRule + target_field: cisco_ise.log.allowed_protocol.matched.rule + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: Called-Station-ID + target_field: cisco_ise.log.called_station.id + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: DetailedInfo + target_field: cisco_ise.log.detailed_info + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - rename: + field: EAP-Key-Name + target_field: cisco_ise.log.eap_key.name + ignore_missing: true + - rename: + field: EapAuthentication + target_field: cisco_ise.log.eap.authentication + ignore_missing: true + - rename: + field: EapChainingResult + target_field: cisco_ise.log.eap.chaining_result + ignore_missing: true + - rename: + field: EapTunnel + target_field: cisco_ise.log.eap.tunnel + ignore_missing: true + - rename: + field: EndPointMACAddress + target_field: cisco_ise.log.endpoint.mac.address + ignore_missing: true + - gsub: + field: cisco_ise.log.endpoint.mac.address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: cisco_ise.log.endpoint.mac.address + ignore_missing: true + - rename: + field: FailureReason + target_field: cisco_ise.log.failure.reason + ignore_missing: true + - convert: + field: Framed-IP-Address + target_field: cisco_ise.log.framed.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.framed.ip}}}' + if: ctx?.cisco_ise?.log?.framed?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: Framed-MTU + target_field: cisco_ise.log.framed.mtu + type: long + ignore_missing: true + - convert: + field: GroupsOrAttributesProcessFailure + target_field: cisco_ise.log.groups.process_failure + type: boolean + ignore_missing: true + - rename: + field: IdentitySelectionMatchedRule + target_field: cisco_ise.log.identity.selection.matched.rule + ignore_missing: true + - rename: + field: ISEPolicySetName + target_field: cisco_ise.log.ise.policy.set_name + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_missing: true + - rename: + field: NAS-Port-Id + target_field: cisco_ise.log.nas.port.id + ignore_missing: true + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: RadiusPacketType + target_field: cisco_ise.log.radius_packet.type + ignore_missing: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: SelectedAuthenticationIdentityStores + target_field: cisco_ise.log.selected.authentication.identity_stores + ignore_missing: true + - rename: + field: Service-Type + target_field: cisco_ise.log.service.type + ignore_missing: true + - rename: + field: State + target_field: cisco_ise.log.state + ignore_missing: true + - rename: + field: UseCase + target_field: cisco_ise.log.usecase + ignore_missing: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: Device Port + target_field: client.port + type: long + ignore_missing: true + - rename: + field: Acct-Session-Id + target_field: cisco_ise.log.acct.session.id + ignore_missing: true + - rename: + field: Acct-Status-Type + target_field: cisco_ise.log.acct.status.type + ignore_missing: true + - rename: + field: DTLSSupport + target_field: cisco_ise.log.dtls_support + ignore_missing: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: IPSEC + target_field: cisco_ise.log.ipsec + ignore_missing: true + - rename: + field: Model Name + target_field: cisco_ise.log.model.name + ignore_missing: true + - rename: + field: Network Device Profile + target_field: cisco_ise.log.network.device.profile + ignore_missing: true + - rename: + field: NetworkDeviceProfileId + target_field: cisco_ise.log.network.device.profile_id + ignore_missing: true + - rename: + field: NetworkDeviceProfileName + target_field: cisco_ise.log.network.device.profile_name + ignore_missing: true + - rename: + field: OpenSSLErrorMessage + target_field: cisco_ise.log.openssl.error.message + ignore_missing: true + - rename: + field: OpenSSLErrorStack + target_field: cisco_ise.log.openssl.error.stack + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_missing: true + - convert: + field: Session-Timeout + target_field: cisco_ise.log.session.timeout + type: long + ignore_missing: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - rename: + field: StepLatency + target_field: cisco_ise.log.step_latency + ignore_missing: true + - rename: + field: TLSCipher + target_field: cisco_ise.log.tls.cipher + ignore_missing: true + - rename: + field: TLSVersion + target_field: cisco_ise.log.tls.version + ignore_missing: true + - convert: + field: TotalFailedAttempts + target_field: cisco_ise.log.total.failed_attempts + type: long + ignore_missing: true + - convert: + field: TotalFailedTime + target_field: cisco_ise.log.total.failed_time + type: long + ignore_missing: true + - rename: + field: UserType + target_field: cisco_ise.log.user.type + ignore_missing: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: user.name + value: '{{{User-Name}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: '{{{UserName}}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{User-Name}}}' + allow_duplicates: false + ignore_failure: true + - remove: + field: + - UserName + - User-Name + - ConfigVersionId + - DestinationIPAddress + - DestinationPort + - Device IP Address + - Device Port + - NAS-IP-Address + - NAS-Port + - RequestLatency + - IpAddress + - TotalFailedAttempts + - Session-Timeout + - Response + - ResponseTime + - TotalFailedTime + - Framed-IP-Address + - Framed-MTU + - GroupsOrAttributesProcessFailure + - acme-av-pair + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml new file mode 100755 index 0000000000..c49664a6b7 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_guest.yml @@ -0,0 +1,112 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: UserType + target_field: cisco_ise.log.user.type + ignore_missing: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_failure: true + - rename: + field: GuestUserName + target_field: cisco_ise.log.guest.user.name + ignore_missing: true + - rename: + field: FailureReason + target_field: cisco_ise.log.failure.reason + ignore_missing: true + - append: + field: related.user.name + value: '{{{cisco_ise.log.guest.user.name}}}' + if: ctx?.cisco_ise?.log?.guest?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - _tmp + - ConfigVersionId + - IpAddress + - cisco_ise.log.log_details + - ResponseTime + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml new file mode 100755 index 0000000000..e70181f8e2 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_identity_stores_diagnostics.yml @@ -0,0 +1,154 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["24209","24210","24212","24216","24217","24313","24322","24325","24352","24366","24412","24430","24631","24633","24715"], "name": "iam"], + ["messageCodeArray": ["24313","24322","24325","24352","24412","24430","24633","24715"], "name": "authentication"], + ["messageCodeArray": ["24217"], "name": "host"], + ["messageCodeArray": ["24209"], "name": "malware"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["24209","24210","24212","24216","24217","24313","24322","24325","24352","24366","24412","24430","24631","24633","24715"], "name": "info"], + ["messageCodeArray": ["24352","24412","24633"], "name": "end"], + ["messageCodeArray": ["24217"], "name": "host"], + ["messageCodeArray": ["24210","24212","24216","24631"], "name": "user"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.category = eventCategory; + ctx.event.type = eventType; + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - trim: + field: cisco_ise.log.log_details + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: CurrentIDStoreName + target_field: cisco_ise.log.currentid.store_name + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: EnableFlag + target_field: cisco_ise.log.enable.flag + ignore_missing: true + - rename: + field: AD-Log-Id + target_field: cisco_ise.log.ad.log_id + ignore_missing: true + - append: + field: user.full_name + value: '{{{Firstname}}}' + if: ctx?.Firstname != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.full_name + value: '{{{Lastname}}}' + if: ctx?.Lastname != null + allow_duplicates: false + ignore_failure: true + - rename: + field: OriginalUserName + target_field: cisco_ise.log.original.user.name + ignore_missing: true + - append: + field: user.name + value: '{{{cisco_ise.log.original.user.name}}}' + if: ctx?.cisco_ise?.log?.original?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - remove: + field: + - ConfigVersionId + - OriginalUserName + - Firstname + - Lastname + - Response + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml new file mode 100755 index 0000000000..8f14c3ed78 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_internal_operations_diagnostics.yml @@ -0,0 +1,81 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["34120"], "name": "authentication"], + ["messageCodeArray": ["32025","34126","34127"], "name": "configuration"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_failure: true + - rename: + field: LoggerName + target_field: cisco_ise.log.logger.name + ignore_missing: true + - rename: + field: LogFileName + target_field: cisco_ise.log.file.name + ignore_missing: true + - rename: + field: LogErrorMessage + target_field: cisco_ise.log.error.message + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - DestinationPort + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml new file mode 100755 index 0000000000..cbbcafd8f9 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_mydevices.yml @@ -0,0 +1,136 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: UserName + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - rename: + field: EPMacAddress + target_field: cisco_ise.log.ep.mac.address + ignore_missing: true + - gsub: + field: cisco_ise.log.ep.mac_address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: cisco_ise.log.ep.mac_address + ignore_missing: true + - rename: + field: EPIdentityGroup + target_field: cisco_ise.log.ep.identity_group + ignore_missing: true + - convert: + field: Staticassignment + target_field: cisco_ise.log.static.assignment + type: boolean + ignore_failure: true + - rename: + field: EndPointProfiler + target_field: cisco_ise.log.endpoint.profiler + ignore_missing: true + - rename: + field: EndPointPolicy + target_field: cisco_ise.log.endpoint.policy + ignore_missing: true + - rename: + field: DeviceName + target_field: cisco_ise.log.device.name + ignore_missing: true + - rename: + field: DeviceRegistrationStatus + target_field: cisco_ise.log.device.registration_status + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_failure: true + - rename: + field: EndpointCoA + target_field: cisco_ise.log.endpoint.coa + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - IpAddress + - cisco_ise.log.log_details + - ResponseTime + - Staticassignment + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml new file mode 100755 index 0000000000..bbfb3b66eb --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_passed_authentications.yml @@ -0,0 +1,394 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["5200","5231","5233","5239"], "name": "authentication"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["5200","5231","5233","5239"], "name": "info"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - convert: + field: Airespace-Wlan-Id + target_field: cisco_ise.log.airespace.wlan.id + type: long + ignore_missing: true + - rename: + field: allowEasyWiredSession + target_field: cisco_ise.log.allow.easy.wired.session + ignore_missing: true + - rename: + field: AuthorizationPolicyMatchedRule + target_field: cisco_ise.log.auth.policy.matched.rule + ignore_missing: true + - rename: + field: AuthenticationIdentityStore + target_field: cisco_ise.log.authentication.identity_store + ignore_missing: true + - rename: + field: AuthenticationMethod + target_field: cisco_ise.log.authentication.method + ignore_missing: true + - rename: + field: AuthenticationStatus + target_field: cisco_ise.log.authentication.status + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: cisco-av-pair.coa-push + target_field: cisco_ise.log.cisco_av_pair.coa-push + type: boolean + ignore_missing: true + - rename: + field: cisco-av-pair.cts-device-capability + target_field: cisco_ise.log.cisco-av-pair.cts-device-capability + ignore_missing: true + - rename: + field: cisco-av-pair.cts-environment-data + target_field: cisco_ise.log.cisco-av-pair.cts-environment-data + ignore_missing: true + - convert: + field: cisco-av-pair.cts-environment-version + target_field: cisco_ise.log.cisco-av-pair.cts-environment-version + type: long + ignore_missing: true + - rename: + field: cisco-av-pair.cts-pac-opaque + target_field: cisco_ise.log.cisco-av-pair.cts-pac-opaque + ignore_missing: true + - convert: + field: ClientLatency + target_field: cisco_ise.log.client.latency + type: long + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - rename: + field: DTLSSupport + target_field: cisco_ise.log.dtls_support + ignore_missing: true + - rename: + field: EndPointMACAddress + target_field: cisco_ise.log.endpoint.mac.address + ignore_missing: true + - gsub: + field: cisco_ise.log.endpoind.mac.address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: cisco_ise.log.endpoind.mac.address + ignore_missing: true + - rename: + field: GuestUserName + target_field: cisco_ise.log.guest.user.name + ignore_missing: true + - rename: + field: IdentityGroup + target_field: cisco_ise.log.identity.group + ignore_missing: true + - rename: + field: IdentityPolicyMatchedRule + target_field: cisco_ise.log.identity.policy.matched.rule + ignore_missing: true + - convert: + field: IpAddress + target_field: source.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: IPSEC + target_field: cisco_ise.log.ipsec + ignore_missing: true + - convert: + field: IsThirdPartyDeviceFlow + target_field: cisco_ise.log.is_third_party_device_flow + type: boolean + ignore_missing: true + - rename: + field: ISEPolicySetName + target_field: cisco_ise.log.ise.policy.set_name + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - rename: + field: MisconfiguredClientFixReason + target_field: cisco_ise.log.misconfigured.client.fix.reason + ignore_missing: true + - rename: + field: Model Name + target_field: cisco_ise.log.model.name + ignore_missing: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_missing: true + - rename: + field: NAS-Port-Id + target_field: cisco_ise.log.nas.port.id + ignore_missing: true + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: Network Device Profile + target_field: cisco_ise.log.network.device.profile + ignore_missing: true + - rename: + field: NetworkDeviceProfileName + target_field: cisco_ise.log.network.device.profile_name + ignore_missing: true + - rename: + field: NetworkDeviceProfileId + target_field: cisco_ise.log.network.device.profile_id + ignore_missing: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: PortalName + target_field: cisco_ise.log.portal.name + ignore_missing: true + - rename: + field: PostureAssessmentStatus + target_field: cisco_ise.log.posture.assessment.status + ignore_missing: true + - rename: + field: PsnHostName + target_field: cisco_ise.log.psn.hostname + ignore_missing: true + - rename: + field: RadiusFlowType + target_field: cisco_ise.log.radius.flow.type + ignore_missing: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_missing: true + - convert: + field: ResponseTime + target_field: cisco_ise.log.response.time + type: long + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: SelectedAuthenticationIdentityStores + target_field: cisco_ise.log.selected.authentication.identity_stores + ignore_missing: true + - rename: + field: SelectedAuthorizationProfiles + target_field: cisco_ise.log.selected.authorization.profiles + ignore_missing: true + - rename: + field: IdentitySelectionMatchedRule + target_field: cisco_ise.log.identity.selection.matched.rule + ignore_missing: true + - rename: + field: Service-Type + target_field: cisco_ise.log.service.type + ignore_missing: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - rename: + field: StepData + target_field: cisco_ise.log.step_data + ignore_missing: true + - convert: + field: TotalAuthenLatency + target_field: cisco_ise.log.total.authen.latency + type: long + ignore_missing: true + - rename: + field: UseCase + target_field: cisco_ise.log.usecase + ignore_missing: true + - rename: + field: UserType + target_field: cisco_ise.log.user.type + ignore_missing: true + - append: + field: user.name + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: user.name + value: '{{{User-Name}}}' + ignore_failure: true + allow_duplicates: false + - append: + field: related.user + value: '{{{UserName}}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{User-Name}}}' + allow_duplicates: false + ignore_failure: true + - remove: + field: + - UserName + - User-Name + - ConfigVersionId + - DestinationIPAddress + - DestinationPort + - Device IP Address + - NAS-IP-Address + - NAS-Port + - RequestLatency + - IpAddress + - Airespace-Wlan-Id + - OriginalUserName + - ClientLatency + - Response + - ResponseTime + - TotalAuthenLatency + - IsThirdPartyDeviceFlow + - cisco-av-pair + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml new file mode 100755 index 0000000000..3c16394e98 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_policy_diagnostics.yml @@ -0,0 +1,143 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Protocol + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - date: + field: RequestReceivedTime + target_field: cisco_ise.log.request.received_time + if: ctx?.RequestReceivedTime != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: PolicyType + target_field: cisco_ise.log.policy.type + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: AuthorizationPolicyMatchedRule + target_field: cisco_ise.log.auth.policy.matched.rule + ignore_missing: true + - rename: + field: CurrentIDStoreName + target_field: cisco_ise.log.currentid.store_name + ignore_missing: true + - rename: + field: ISEPolicySetName + target_field: cisco_ise.log.ise.policy.set_name + ignore_missing: true + - rename: + field: IdentityPolicyMatchedRule + target_field: cisco_ise.log.identity.selection.matched.rule + ignore_missing: true + - rename: + field: IdentitySelectionMatchedRule + target_field: cisco_ise.log.identity.policy.matched.rule + ignore_missing: true + - append: + field: user.name + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{OriginalUserName}}}' + if: ctx?.OriginalUserName != null + allow_duplicates: false + ignore_failure: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: SelectedAuthorizationProfiles + target_field: cisco_ise.log.selected.authorization.profiles + ignore_missing: true + - append: + field: user.name + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{UserName}}}' + if: ctx?.UserName != null + allow_duplicates: false + ignore_failure: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - Device IP Address + - OriginalUserName + - UserName + - RequestReceivedTime + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml new file mode 100755 index 0000000000..8e3f28ef05 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_posture_and_client_provisioning_audit.yml @@ -0,0 +1,72 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [malware] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: OperationID + target_field: cisco_ise.log.operation.id + ignore_missing: true + - rename: + field: OperationType + target_field: cisco_ise.log.operation.type + ignore_missing: true + - rename: + field: OperationStatus + target_field: cisco_ise.log.operation.status + ignore_missing: true + - rename: + field: AdminName + target_field: client.user.name + ignore_missing: true + - append: + field: related.user + value: '{{{client.user.name}}}' + if: ctx?.client?.user?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - _tmp + - ConfigVersionId + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml new file mode 100755 index 0000000000..fbbf1874ec --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_accounting.yml @@ -0,0 +1,249 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_failure: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: User-Name + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_failure: true + - convert: + field: Framed-IP-Address + target_field: cisco_ise.log.framed.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{cisco_ise.log.framed.ip}}}' + if: ctx?.cisco_ise?.log?.framed?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Class + target_field: cisco_ise.log.class + ignore_missing: true + - rename: + field: Called-Station-ID + target_field: cisco_ise.log.called_station.id + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - rename: + field: NAS-Identifier + target_field: cisco_ise.log.nas.identifier + ignore_missing: true + - rename: + field: Acct-Status-Type + target_field: cisco_ise.log.acct.status.type + ignore_missing: true + - rename: + field: Acct-Session-Id + target_field: cisco_ise.log.acct.session.id + ignore_missing: true + - rename: + field: Acct-Authentic + target_field: cisco_ise.log.acct.authentic + ignore_missing: true + - convert: + field: Acct-Session-Time + target_field: cisco_ise.log.acct.session.time + type: long + ignore_failure: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - rename: + field: Event-Timestamp + target_field: cisco_ise.log.event.timestamp + ignore_missing: true + - date: + field: cisco_ise.log.event.timestamp + target_field: cisco_ise.log.event.timestamp + if: ctx?.cisco_ise?.log?.event?.timestamp != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - rename: + field: Tunnel-Type + target_field: cisco_ise.log.tunnel.type + ignore_missing: true + - rename: + field: Tunnel-Medium-Type + target_field: cisco_ise.log.tunnel.medium.type + ignore_missing: true + - rename: + field: Tunnel-Private-Group-ID + target_field: cisco_ise.log.tunnel.private.group_id + ignore_missing: true + - convert: + field: Airespace-Wlan-Id + target_field: cisco_ise.log.airespace.wlan.id + type: long + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: AllowedProtocolMatchedRule + target_field: cisco_ise.log.allowed_protocol.matched.rule + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - convert: + field: Acct-Delay-Time + target_field: cisco_ise.log.acct.delay_time + type: long + ignore_failure: true + - convert: + field: Acct-Input-Octets + target_field: cisco_ise.log.acct.input.octets + type: long + ignore_failure: true + - convert: + field: Acct-Output-Octets + target_field: cisco_ise.log.acct.output.octets + type: long + ignore_failure: true + - convert: + field: Acct-Input-Packets + target_field: cisco_ise.log.acct.input.packets + type: long + ignore_failure: true + - convert: + field: Acct-Output-Packets + target_field: cisco_ise.log.acct.output.packets + type: long + ignore_failure: true + - rename: + field: Acct-Terminate-Cause + target_field: cisco_ise.log.acct.terminate_cause + ignore_missing: true + - rename: + field: undefined-52 + target_field: cisco_ise.log.undefined_52 + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - Device IP Address + - NAS-IP-Address + - NAS-Port + - cisco_ise.log.log_details + - Acct-Input-Octets + - Acct-Output-Octets + - Acct-Input-Packets + - Acct-Output-Packets + - Acct-Session-Time + - Acct-Delay-Time + - RequestLatency + - Airespace-Wlan-Id + - Framed-IP-Address + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml new file mode 100755 index 0000000000..d89787b48a --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_radius_diagnostics.yml @@ -0,0 +1,235 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} RADIUS: An Access-Request MUST contain at least a NAS-IP-Address, NAS-IPv6-Address, or a NAS-Identifier; Continue processing, %{GREEDYDATA:cisco_ise.log.log_details}," + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - set: + field: cisco_ise.log.message.description + value: "RADIUS: An Access-Request MUST contain at least a NAS-IP-Address NAS-IPv6-Address, or a NAS-Identifier; Continue processing" + if: ctx?.cisco_ise?.log?.message?.code == "11015" + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def eventType = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["11001","11002","11004","11005","11006","11015"], "name": "iam"], + ["messageCodeArray": ["11036","11038","11507","11823","12300","12301","12302","12305","12307","12309","12318","12500","12814","12817"], "name": "authentication"], + ["messageCodeArray": ["11027","12500","12800","12805","12814","12817"], "name": "network"], + ["messageCodeArray": ["11117"], "name": "session"], + ["messageCodeArray": ["11017","11018"], "name": "configuration"] + ]; + def typeReferenceTable = [ + ["messageCodeArray": ["11001","11002","11004","11005","11006","11015","11017","11018","11027","11036","11038","11117","11507","11823","12300","12301","12302","12305","12307","12309","12318","12500","12800","12805","12814","12817"], "name": "info"], + ["messageCodeArray": ["11823","12307","12309","12817"], "name": "end"], + ["messageCodeArray": ["11117"], "name": "start"] + ]; + + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + for (entry in typeReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventType.add(entry.name); + } + } + + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + ctx.event.type = eventType; + - gsub: + field: cisco_ise.log.log_details + pattern: \\, + replacement: '' + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - rename: + field: Acct-Session-Id + target_field: cisco_ise.log.acct.session.id + ignore_missing: true + - rename: + field: Acct-Status-Type + target_field: cisco_ise.log.acct.status.type + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - convert: + field: Airespace-Wlan-Id + target_field: cisco_ise.log.airespace.wlan.id + type: long + ignore_missing: true + - rename: + field: Calling-Station-ID + target_field: cisco_ise.log.calling_station.id + ignore_missing: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: DetailedInfo + target_field: cisco_ise.log.detailed_info + ignore_missing: true + - rename: + field: EapAuthentication + target_field: cisco_ise.log.eap.authentication + ignore_missing: true + - rename: + field: EapTunnel + target_field: cisco_ise.log.eap.tunnel + ignore_missing: true + - convert: + field: NAS-IP-Address + target_field: cisco_ise.log.nas.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{cisco_ise.log.nas.ip}}}' + if: ctx?.cisco_ise?.log?.nas?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: NAS-Port + target_field: cisco_ise.log.nas.port.number + type: long + ignore_missing: true + - rename: + field: OpenSSLErrorMessage + target_field: cisco_ise.log.openssl.error.message + ignore_missing: true + - rename: + field: OpenSSLErrorStack + target_field: cisco_ise.log.openssl.error.stack + ignore_missing: true + - rename: + field: NAS-Port-Type + target_field: cisco_ise.log.nas.port.type + ignore_missing: true + - convert: + field: RadiusIdentifier + target_field: cisco_ise.log.radius_identifier + type: long + ignore_missing: true + - rename: + field: RadiusPacketType + target_field: cisco_ise.log.radius.packet.type + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - convert: + field: Session-Timeout + target_field: cisco_ise.log.session.timeout + type: long + ignore_missing: true + - rename: + field: State + target_field: cisco_ise.log.state + ignore_missing: true + - rename: + field: UseCase + target_field: cisco_ise.log.usecase + ignore_missing: true + - convert: + field: DestinationIPAddress + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: DestinationPort + target_field: destination.port + type: long + ignore_missing: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: Device Port + target_field: client.port + type: long + ignore_missing: true + - rename: + field: Service-Type + target_field: service.type + ignore_missing: true + - rename: + field: User-Name + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + ignore_failure: true + - remove: + field: + - ConfigVersionId + - DestinationIPAddress + - DestinationPort + - Device IP Address + - Device Port + - NAS-IP-Address + - NAS-Port + - Airespace-Wlan-Id + - RadiusIdentifier + - Response + - Session-Timeout + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml new file mode 100755 index 0000000000..3832191710 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system_statistics.yml @@ -0,0 +1,189 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.action + value: [system-stats] + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: cisco_ise.log.log_details + if: ctx?.cisco_ise?.log?.message?.code == "70001" + patterns: + - "^ConfigVersionId=%{DATA:ConfigVersionId}, SysStatsAcsProcessHealth= %{GREEDYDATA:_tmp.SysStatsAcsProcessHealth}" + - kv: + if: ctx?.cisco_ise?.log?.message?.code == "70001" + field: _tmp.SysStatsAcsProcessHealth + target_field: SysStatsAcsProcessHealth + field_split: '; ' + value_split: = + ignore_failure: true + - kv: + if: ctx?.cisco_ise?.log?.message?.code != "70001" + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - kv: + field: OperationCounters + target_field: _tmp + field_split: ', ' + value_split: = + if: ctx?.cisco_ise?.log?.message?.code == "70011" + ignore_failure: true + - kv: + if: ctx?.cisco_ise?.log?.message?.code == "70011" + field: _tmp.Counter + target_field: Counters + field_split: "," + value_split: ":" + ignore_failure: true + - remove: + field: OperationCounters + if: ctx?.Counters != null + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["70000","70011"], "name": "host"], + ["messageCodeArray": ["70001"], "name": "process"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.category = eventCategory.length > 0 ? eventCategory : null; + - convert: + field: ActiveSessionCount + target_field: cisco_ise.log.active_session.count + type: long + ignore_failure: true + - convert: + field: AverageRadiusRequestLatency + target_field: cisco_ise.log.average.radius.request.latency + type: long + ignore_failure: true + - convert: + field: AverageTacacsRequestLatency + target_field: cisco_ise.log.average.tacacs.request.latency + type: long + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: Counters + target_field: cisco_ise.log.operation_counters.counters + ignore_missing: true + - convert: + field: DeltaRadiusRequestCount + target_field: cisco_ise.log.delta.radius.request.count + type: long + ignore_failure: true + - convert: + field: DeltaTacacsRequestCount + target_field: cisco_ise.log.delta.tacacs.request.count + type: long + ignore_failure: true + - rename: + field: OperationCounters + target_field: cisco_ise.log.operation_counters.original + ignore_missing: true + - rename: + field: SysStatsAcsProcessHealth + target_field: cisco_ise.log.sysstats.acs.process.health + ignore_missing: true + - convert: + field: SysStatsCpuCount + target_field: cisco_ise.log.sysstats.cpu.count + type: long + ignore_failure: true + - convert: + field: SysStatsProcessMemoryMB + target_field: cisco_ise.log.sysstats.process_memory_mb + type: long + ignore_failure: true + - gsub: + field: SysStatsUtilizationCpu + pattern: '%' + replacement: '' + ignore_missing: true + - convert: + field: SysStatsUtilizationCpu + target_field: cisco_ise.log.sysstats.utilization.cpu + type: double + ignore_failure: true + - gsub: + field: SysStatsUtilizationDiskIO + pattern: '%' + replacement: '' + ignore_missing: true + - convert: + field: SysStatsUtilizationDiskIO + target_field: cisco_ise.log.sysstats.utilization.disk.io + type: double + ignore_failure: true + - rename: + field: SysStatsUtilizationDiskSpace + target_field: cisco_ise.log.sysstats.utilization.disk.space + ignore_missing: true + - convert: + field: SysStatsUtilizationLoadAvg + target_field: cisco_ise.log.sysstats.utilization.load_avg + type: double + ignore_failure: true + - gsub: + field: SysStatsUtilizationMemory + pattern: '%' + replacement: '' + ignore_missing: true + - convert: + field: SysStatsUtilizationMemory + target_field: cisco_ise.log.sysstats.utilization.memory + type: double + ignore_failure: true + - rename: + field: SysStatsUtilizationNetwork + target_field: cisco_ise.log.sysstats.utilization.network + ignore_missing: true + - remove: + field: + - ActiveSessionCount + - AverageRadiusRequestLatency + - AverageTacacsRequestLatency + - ConfigVersionId + - DeltaRadiusRequestCount + - DeltaTacacsRequestCount + - SysStatsCpuCount + - SysStatsProcessMemoryMB + - SysStatsUtilizationCpu + - SysStatsUtilizationDiskIO + - SysStatsUtilizationMemory + - SysStatsUtilizationLoadAvg + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml new file mode 100755 index 0000000000..938f29cfeb --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_tacacs_accounting.yml @@ -0,0 +1,237 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.category + value: [configuration] + - append: + field: event.type + value: [info] + - gsub: + field: message + pattern: 'AVPair=' + replacement: 'AVPair.' + ignore_missing: true + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.description != null + source: + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - convert: + field: Device IP Address + target_field: client.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: CmdSet + target_field: cisco_ise.log.cmdset + ignore_missing: true + - convert: + field: RequestLatency + target_field: cisco_ise.log.request.latency + type: long + ignore_failure: true + - rename: + field: NetworkDeviceName + target_field: cisco_ise.log.network.device.name + ignore_missing: true + - rename: + field: Type + target_field: cisco_ise.log.type + ignore_missing: true + - convert: + field: Privilege-Level + target_field: cisco_ise.log.privilege.level + type: long + ignore_failure: true + - rename: + field: Service + target_field: cisco_ise.log.service.name + ignore_missing: true + - rename: + field: User + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Port + target_field: cisco_ise.log.port + ignore_missing: true + - convert: + field: Remote-Address + target_field: destination.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{destination.ip}}}' + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: Authen-Method + target_field: cisco_ise.log.authen_method + ignore_missing: true + - rename: + field: AVPair.task_id + target_field: cisco_ise.log.avpair.task_id + ignore_missing: true + ignore_failure: true + - rename: + field: AVPair.timezone + target_field: cisco_ise.log.avpair.timezone + ignore_missing: true + - date: + field: AVPair.start_time + target_field: cisco_ise.log.avpair.start_time + if: ctx?.AVPair?.start_time != "0" + ignore_failure: true + formats: + - UNIX + - convert: + field: AVPair.priv-lvl + target_field: cisco_ise.log.avpair.priv_lvl + type: long + ignore_failure: true + - convert: + field: AVPair.disc-cause + target_field: cisco_ise.log.avpair.disc.cause + type: long + ignore_failure: true + - convert: + field: AVPair.disc-cause-ext + target_field: cisco_ise.log.avpair.disc.cause_ext + type: long + ignore_failure: true + - convert: + field: AVPair.pre-session-time + target_field: cisco_ise.log.avpair.pre_session_time + type: long + ignore_failure: true + - convert: + field: AVPair.elapsed_time + target_field: cisco_ise.log.avpair.elapsed_time + type: long + ignore_failure: true + - date: + field: AVPair.stop_time + target_field: cisco_ise.log.avpair.stop_time + if: ctx?.cisco_ise?.log?.avPair?.stop_time != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: AcctRequest-Flags + target_field: cisco_ise.log.acct.request.flags + ignore_missing: true + - rename: + field: Service-Argument + target_field: cisco_ise.log.service.argument + ignore_missing: true + - rename: + field: AcsSessionID + target_field: cisco_ise.log.acs.session.id + ignore_missing: true + - rename: + field: SelectedAccessService + target_field: cisco_ise.log.selected.access.service + ignore_missing: true + - rename: + field: NetworkDeviceGroups + target_field: cisco_ise.log.network.device.groups + ignore_missing: true + - rename: + field: CPMSessionID + target_field: cisco_ise.log.cpm.session.id + ignore_missing: true + - rename: + field: Model Name + target_field: cisco_ise.log.model.name + ignore_missing: true + - rename: + field: Software Version + target_field: cisco_ise.log.software.version + ignore_missing: true + - rename: + field: Network Device Profile + target_field: cisco_ise.log.network.device.profile + ignore_missing: true + - rename: + field: Location + target_field: cisco_ise.log.location + ignore_missing: true + - rename: + field: Device Type + target_field: cisco_ise.log.device.type + ignore_missing: true + - rename: + field: IPSEC + target_field: cisco_ise.log.ipsec + ignore_missing: true + - rename: + field: Step + target_field: cisco_ise.log.step + ignore_missing: true + - dissect: + field: Response + pattern: "{%{_tmp.response}}" + ignore_failure: true + - kv: + field: _tmp.response + target_field: cisco_ise.log.response + field_split: '; ' + value_split: = + ignore_failure: true + - remove: + field: + - _tmp + - ConfigVersionId + - Device IP Address + - Remote-Address + - Response + - RequestLatency + - Privilege-Level + - cisco_ise.log.log_details + - AVPair + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml new file mode 100755 index 0000000000..54768dfc50 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_threat_centric_nac.yml @@ -0,0 +1,78 @@ +--- +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: [info] + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number == 0 + patterns: + - "^%{TIMESTAMP_ISO8601:_tmp.timestamp} %{ISO8601_TIMEZONE:event.timezone} %{DATA:event.sequence:long} %{DATA:cisco_ise.log.message.code} %{DATA:log.syslog.severity.name} %{DATA:cisco_ise.log.message.description}, %{GREEDYDATA:cisco_ise.log.log_details}," + - grok: + field: message + if: ctx?.cisco_ise?.log?.segment?.number > 0 + patterns: + - "^%{GREEDYDATA:cisco_ise.log.log_details}," + - date: + field: _tmp.timestamp + target_field: '@timestamp' + formats: + - yyyy-MM-dd HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSSSSS + timezone: '{{{event.timezone}}}' + ignore_failure: true + - script: + lang: painless + if: ctx?.cisco_ise?.log?.message?.code != null + source: | + def eventCategory = new ArrayList(); + def categoryReferenceTable = [ + ["messageCodeArray": ["91110"], "name": "authentication"], + ["messageCodeArray": ["91004","91018"], "name": "configuration"] + ]; + for (entry in categoryReferenceTable) { + if (entry.messageCodeArray.contains(ctx.cisco_ise.log.message.code)) { + eventCategory.add(entry.name); + } + } + ctx.event.action = ctx?.cisco_ise?.log?.message?.description?.splitOnToken(":")[0]?.toLowerCase(); + ctx.event.category = eventCategory; + - kv: + field: cisco_ise.log.log_details + field_split: ', ' + value_split: = + ignore_failure: true + - convert: + field: ConfigVersionId + target_field: cisco_ise.log.config_version.id + type: long + ignore_failure: true + - rename: + field: Details + target_field: cisco_ise.log.details + ignore_missing: true + - rename: + field: AdapterInstanceName + target_field: cisco_ise.log.adapter_instance.name + ignore_missing: true + - rename: + field: AdapterInstanceUuid + target_field: cisco_ise.log.adapter_instance.uuid + ignore_missing: true + - rename: + field: Status + target_field: cisco_ise.log.status + ignore_missing: true + - rename: + field: Connectivity + target_field: cisco_ise.log.connectivity + ignore_missing: true + - remove: + field: + - _tmp + - ConfigVersionId + - cisco_ise.log.log_details + ignore_missing: true diff --git a/packages/cisco_ise/1.1.1/data_stream/log/fields/agent.yml b/packages/cisco_ise/1.1.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..98d2f9f38d --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/fields/agent.yml @@ -0,0 +1,177 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_ise/1.1.1/data_stream/log/fields/base-fields.yml b/packages/cisco_ise/1.1.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..45e558e2c9 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_ise.log +- name: event.module + type: constant_keyword + description: Event module + value: cisco_ise +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco_ise/1.1.1/data_stream/log/fields/ecs.yml b/packages/cisco_ise/1.1.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..35a206c59d --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,109 @@ +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: Port of the client. + name: client.port + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/cisco_ise/1.1.1/data_stream/log/fields/fields.yml b/packages/cisco_ise/1.1.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..7e171113db --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/fields/fields.yml @@ -0,0 +1,829 @@ +- name: cisco_ise.log + type: group + fields: + - name: acct + type: group + fields: + - name: authentic + type: keyword + - name: delay_time + type: long + - name: input + type: group + fields: + - name: octets + type: long + - name: packets + type: long + - name: output + type: group + fields: + - name: octets + type: long + - name: packets + type: long + - name: request + type: group + fields: + - name: flags + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: time + type: long + - name: status + type: group + fields: + - name: type + type: keyword + - name: terminate_cause + type: keyword + - name: acme-av-pair + type: group + fields: + - name: audit-session-id + type: keyword + - name: service-type + type: keyword + - name: acs + type: group + fields: + - name: instance + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: active_session + type: group + fields: + - name: count + type: long + - name: ad + type: group + fields: + - name: admin + type: keyword + - name: domain + type: group + fields: + - name: controller + type: keyword + - name: name + type: keyword + - name: error + type: group + fields: + - name: details + type: keyword + - name: forest + type: keyword + - name: hostname + type: keyword + - name: ip + type: ip + - name: log + type: keyword + - name: log_id + type: keyword + - name: organization_unit + type: text + - name: site + type: keyword + - name: srv + type: group + fields: + - name: query + type: keyword + - name: record + type: keyword + - name: adapter_instance + type: group + fields: + - name: name + type: keyword + - name: uuid + type: keyword + - name: admin + type: group + fields: + - name: interface + type: keyword + - name: session + type: keyword + - name: airespace + type: group + fields: + - name: wlan + type: group + fields: + - name: id + type: long + - name: allow + type: group + fields: + - name: easy + type: group + fields: + - name: wired + type: group + fields: + - name: session + type: keyword + - name: allowed_protocol + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: assigned_targets + type: keyword + - name: auth + type: group + fields: + - name: policy + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: authen_method + type: keyword + - name: authentication + type: group + fields: + - name: identity_store + type: keyword + - name: method + type: keyword + - name: status + type: keyword + - name: average + type: group + fields: + - name: radius + type: group + fields: + - name: request + type: group + fields: + - name: latency + type: long + - name: tacacs + type: group + fields: + - name: request + type: group + fields: + - name: latency + type: long + - name: avpair + type: group + fields: + - name: disc + type: group + fields: + - name: cause + type: long + - name: cause_ext + type: long + - name: elapsed_time + type: long + - name: pre_session_time + type: long + - name: priv_lvl + type: long + - name: start_time + type: date + - name: stop_time + type: date + - name: task_id + type: keyword + - name: timezone + type: keyword + - name: called_station + type: group + fields: + - name: id + type: keyword + - name: calling_station + type: group + fields: + - name: id + type: keyword + - name: category + type: group + fields: + - name: name + type: keyword + - name: cisco_av_pair + type: group + fields: + - name: coa-push + type: boolean + - name: cts-device-capability + type: keyword + - name: cts-environment-data + type: keyword + - name: cts-environment-version + type: keyword + - name: cts-pac-opaque + type: keyword + - name: class + type: keyword + - name: client + type: group + fields: + - name: latency + type: long + - name: cmdset + type: keyword + - name: component + type: keyword + - name: config_change + type: group + fields: + - name: data + type: keyword + - name: config_version + type: group + fields: + - name: id + type: long + - name: connectivity + type: keyword + - name: cpm + type: group + fields: + - name: session + type: group + fields: + - name: id + type: keyword + - name: currentid + type: group + fields: + - name: store_name + type: keyword + - name: delta + type: group + fields: + - name: radius + type: group + fields: + - name: request + type: group + fields: + - name: count + type: long + - name: tacacs + type: group + fields: + - name: request + type: group + fields: + - name: count + type: long + - name: detailed_info + type: text + - name: details + type: keyword + - name: device + type: group + fields: + - name: name + type: keyword + - name: registration_status + type: keyword + - name: type + type: keyword + - name: dtls_support + type: keyword + - name: eap_key + type: group + fields: + - name: name + type: keyword + - name: eap + type: group + fields: + - name: authentication + type: keyword + - name: chaining_result + type: keyword + - name: tunnel + type: keyword + - name: enable + type: group + fields: + - name: flag + type: keyword + - name: endpoint + type: group + fields: + - name: coa + type: keyword + - name: mac + type: group + fields: + - name: address + type: keyword + - name: policy + type: keyword + - name: profiler + type: keyword + - name: purge + type: group + fields: + - name: id + type: keyword + - name: rule + type: keyword + - name: scheduletype + type: keyword + - name: ep + type: group + fields: + - name: identity_group + type: keyword + - name: mac + type: group + fields: + - name: address + type: keyword + - name: error + type: group + fields: + - name: message + type: keyword + - name: event + type: group + fields: + - name: timestamp + type: date + - name: failure + type: group + fields: + - name: flag + type: boolean + - name: reason + type: keyword + - name: feed_service + type: group + fields: + - name: feed + type: group + fields: + - name: name + type: keyword + - name: version + type: keyword + - name: host + type: keyword + - name: port + type: keyword + - name: query + type: group + fields: + - name: from_time + type: date + - name: to_time + type: date + - name: file + type: group + fields: + - name: name + type: keyword + - name: first_name + type: keyword + - name: framed + type: group + fields: + - name: ip + type: ip + - name: mtu + type: long + - name: groups + type: group + fields: + - name: process_failure + type: boolean + - name: guest + type: group + fields: + - name: user + type: group + fields: + - name: name + type: keyword + - name: identity + type: group + fields: + - name: group + type: keyword + - name: identity + type: group + fields: + - name: policy + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: selection + type: group + fields: + - name: matched + type: group + fields: + - name: rule + type: keyword + - name: ipsec + type: keyword + - name: is_third_party_device_flow + type: boolean + - name: ise + type: group + fields: + - name: policy + type: group + fields: + - name: set_name + type: keyword + - name: last_name + type: keyword + - name: local_logging + type: keyword + - name: location + type: keyword + - name: log_details + type: text + - name: log_error + type: group + fields: + - name: message + type: keyword + - name: log_severity_level + type: keyword + - name: logger + type: group + fields: + - name: name + type: keyword + - name: message + type: group + fields: + - name: code + type: keyword + - name: description + type: text + - name: id + type: keyword + - name: text + type: keyword + - name: misconfigured + type: group + fields: + - name: client + type: group + fields: + - name: fix + type: group + fields: + - name: reason + type: keyword + - name: model + type: group + fields: + - name: name + type: keyword + - name: nas + type: group + fields: + - name: identifier + type: keyword + - name: ip + type: ip + - name: port + type: group + fields: + - name: id + type: keyword + - name: number + type: long + - name: type + type: keyword + - name: network + type: group + fields: + - name: device + type: group + fields: + - name: groups + type: keyword + - name: name + type: keyword + - name: profile + type: keyword + - name: profile_id + type: keyword + - name: profile_name + type: keyword + - name: object + type: group + fields: + - name: internal.id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: objects + type: group + fields: + - name: purged + type: keyword + - name: openssl + type: group + fields: + - name: error + type: group + fields: + - name: message + type: keyword + - name: stack + type: keyword + - name: operation_counters + type: group + fields: + - name: counters + type: flattened + - name: original + type: text + - name: operation_message + type: group + fields: + - name: text + type: keyword + - name: operation + type: group + fields: + - name: id + type: keyword + - name: status + type: keyword + - name: type + type: keyword + - name: original + type: group + fields: + - name: user + type: group + fields: + - name: name + type: keyword + - name: policy + type: group + fields: + - name: type + type: keyword + - name: port + type: keyword + - name: portal + type: group + fields: + - name: name + type: keyword + - name: posture + type: group + fields: + - name: assessment + type: group + fields: + - name: status + type: keyword + - name: privilege + type: group + fields: + - name: level + type: long + - name: probe + type: keyword + - name: profiler + type: group + fields: + - name: server + type: keyword + - name: protocol + type: keyword + - name: psn + type: group + fields: + - name: hostname + type: keyword + - name: radius_identifier + type: long + - name: radius_packet + type: group + fields: + - name: type + type: keyword + - name: radius + type: group + fields: + - name: flow + type: group + fields: + - name: type + type: keyword + - name: packet + type: group + fields: + - name: type + type: keyword + - name: request_response + type: group + fields: + - name: type + type: keyword + - name: request + type: group + fields: + - name: latency + type: long + - name: received_time + type: date + - name: response + type: flattened + - name: segment + type: group + fields: + - name: number + type: long + - name: total + type: long + - name: selected + type: group + fields: + - name: access + type: group + fields: + - name: service + type: keyword + - name: authentication + type: group + fields: + - name: identity_stores + type: keyword + - name: authorization + type: group + fields: + - name: profiles + type: keyword + - name: sequence + type: group + fields: + - name: number + type: long + - name: server + type: group + fields: + - name: name + type: keyword + - name: type + type: keyword + - name: service + type: group + fields: + - name: argument + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: session + type: group + fields: + - name: timeout + type: long + - name: severity + type: group + fields: + - name: level + type: long + - name: software + type: group + fields: + - name: version + type: keyword + - name: state + type: text + - name: static + type: group + fields: + - name: assignment + type: boolean + - name: step + type: keyword + - name: step_data + type: keyword + - name: step_latency + type: keyword + - name: status + type: keyword + - name: sysstats + type: group + fields: + - name: acs + type: group + fields: + - name: process + type: group + fields: + - name: health + type: flattened + - name: cpu + type: group + fields: + - name: count + type: long + - name: process_memory_mb + type: long + - name: utilization + type: group + fields: + - name: cpu + type: double + - name: disk + type: group + fields: + - name: io + type: double + - name: space + type: keyword + - name: load_avg + type: double + - name: memory + type: double + - name: network + type: keyword + - name: tls + type: group + fields: + - name: cipher + type: keyword + - name: version + type: keyword + - name: total + type: group + fields: + - name: authen + type: group + fields: + - name: latency + type: long + - name: failed_attempts + type: long + - name: failed_time + type: long + - name: tunnel + type: group + fields: + - name: medium + type: group + fields: + - name: type + type: keyword + - name: private + type: group + fields: + - name: group_id + type: keyword + - name: type + type: keyword + - name: type + type: keyword + - name: undefined_52 + type: keyword + - name: usecase + type: keyword + - name: user + type: group + fields: + - name: type + type: keyword + - name: workflow + type: flattened +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/cisco_ise/1.1.1/data_stream/log/manifest.yml b/packages/cisco_ise/1.1.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..e0bae293cd --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/manifest.yml @@ -0,0 +1,63 @@ +title: Cisco ISE logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Cisco_ISE logs + description: Collect Cisco ISE logs via TCP input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_ise-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + template_path: udp.yml.hbs + title: Cisco_ISE logs + description: Collect Cisco ISE logs via UDP input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_ise-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_ise/1.1.1/data_stream/log/sample_event.json b/packages/cisco_ise/1.1.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..0c82489972 --- /dev/null +++ b/packages/cisco_ise/1.1.1/data_stream/log/sample_event.json @@ -0,0 +1,184 @@ +{ + "@timestamp": "2020-02-21T19:13:08.328Z", + "agent": { + "ephemeral_id": "4f4b968e-48f2-4442-984d-73a340e75b02", + "id": "bdb81c52-44a4-414c-996b-bcfa977c5f7a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.3" + }, + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/952729" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]", + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting306034364" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], + "message": { + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" + ], + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty10", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "cisco_ise.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "bdb81c52-44a4-414c-996b-bcfa977c5f7a", + "snapshot": false, + "version": "8.3.3" + }, + "event": { + "action": "tacacs-accounting", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "cisco_ise.log", + "ingested": "2022-08-29T04:16:29Z", + "kind": "event", + "sequence": 18415781, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "notice", + "source": { + "address": "192.168.144.4:53137" + }, + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxvne" + ] + }, + "tags": [ + "forwarded", + "cisco_ise-log" + ], + "user": { + "name": "psxvne" + } +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/docs/README.md b/packages/cisco_ise/1.1.1/docs/README.md new file mode 100755 index 0000000000..bcdfb28101 --- /dev/null +++ b/packages/cisco_ise/1.1.1/docs/README.md @@ -0,0 +1,498 @@ +# Cisco ISE + +The Cisco ISE integration collects and parses data from [Cisco Identity Services Engine](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html) (ISE) using TCP/UDP. + +## Compatibility + +This module has been tested against `Cisco ISE server version 3.1.0.518`. + +## Requirements + +- Enable the integration with the TCP/UDP input. +- Sign in to Cisco ISE Portal. +- Configure Remote Syslog Collection Locations. + - **Procedure** + 1. In Cisco ISE Administrator Portal, go to **Administration** > **System** > **Logging** > **Remote Logging Targets**. + 2. Click **Add**. + ![Cisco ISE server setup image](../img/cisco-ise-setup.png) + 3. Enter all the **Required Details**. + 4. Set the maximum length to **8192**. + 5. Click **Submit**. + 6. Go to the **Remote Logging Targets** page and verify the creation of the new target. + +## Note +- It is recommended to have **8192** as Maximum Message Length. Segmentation for certain logs coming from Cisco ISE might cause issues with field mappings. + +## Logs + +Reference link for Cisco ISE Syslog: [Here](https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html) + +### log + +This is the `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2020-02-21T19:13:08.328Z", + "agent": { + "ephemeral_id": "4f4b968e-48f2-4442-984d-73a340e75b02", + "id": "bdb81c52-44a4-414c-996b-bcfa977c5f7a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.3" + }, + "cisco_ise": { + "log": { + "acct": { + "request": { + "flags": "Stop" + } + }, + "acs": { + "session": { + "id": "ldnnacpsn1/359344348/952729" + } + }, + "authen_method": "TacacsPlus", + "avpair": { + "priv_lvl": 15, + "start_time": "2020-03-26T01:17:12.000Z", + "task_id": "2962", + "timezone": "GMT" + }, + "category": { + "name": "CISE_TACACS_Accounting" + }, + "cmdset": "[ CmdAV=show mac-address-table \u003ccr\u003e ]", + "config_version": { + "id": 1829 + }, + "cpm": { + "session": { + "id": "81.2.69.144Accounting306034364" + } + }, + "device": { + "type": [ + "Device Type#All Device Types#Routers", + "Device Type#All Device Types#Routers" + ] + }, + "ipsec": [ + "IPSEC#Is IPSEC Device", + "IPSEC#Is IPSEC Device" + ], + "location": [ + "Location#All Locations#EMEA", + "Location#All Locations#EMEA" + ], + "message": { + "code": "3300", + "description": "Tacacs-Accounting: TACACS+ Accounting with Command", + "id": "0000000001" + }, + "model": { + "name": "Unknown" + }, + "network": { + "device": { + "groups": [ + "Location#All Locations#EMEA", + "Device Type#All Device Types#Routers", + "IPSEC#Is IPSEC Device" + ], + "name": "wlnwan1", + "profile": [ + "Cisco", + "Cisco" + ] + } + }, + "port": "tty10", + "privilege": { + "level": 15 + }, + "request": { + "latency": 1 + }, + "response": { + "AcctReply-Status": "Success" + }, + "segment": { + "number": 0, + "total": 4 + }, + "selected": { + "access": { + "service": "Device Admin - TACACS" + } + }, + "service": { + "argument": "shell", + "name": "Login" + }, + "software": { + "version": "Unknown" + }, + "step": [ + "13006", + "15049", + "15008", + "15048", + "13035" + ], + "type": "Accounting" + } + }, + "client": { + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "cisco_ise.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "bdb81c52-44a4-414c-996b-bcfa977c5f7a", + "snapshot": false, + "version": "8.3.3" + }, + "event": { + "action": "tacacs-accounting", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "cisco_ise.log", + "ingested": "2022-08-29T04:16:29Z", + "kind": "event", + "sequence": 18415781, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "notice", + "source": { + "address": "192.168.144.4:53137" + }, + "syslog": { + "priority": 182, + "severity": { + "name": "notice" + } + } + }, + "message": "2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table \u003ccr\u003e ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair.task_id=2962, AVPair.timezone=GMT, AVPair.start_time=1585185432, AVPair.priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "psxvne" + ] + }, + "tags": [ + "forwarded", + "cisco_ise-log" + ], + "user": { + "name": "psxvne" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_ise.log.acct.authentic | | keyword | +| cisco_ise.log.acct.delay_time | | long | +| cisco_ise.log.acct.input.octets | | long | +| cisco_ise.log.acct.input.packets | | long | +| cisco_ise.log.acct.output.octets | | long | +| cisco_ise.log.acct.output.packets | | long | +| cisco_ise.log.acct.request.flags | | keyword | +| cisco_ise.log.acct.session.id | | keyword | +| cisco_ise.log.acct.session.time | | long | +| cisco_ise.log.acct.status.type | | keyword | +| cisco_ise.log.acct.terminate_cause | | keyword | +| cisco_ise.log.acme-av-pair.audit-session-id | | keyword | +| cisco_ise.log.acme-av-pair.service-type | | keyword | +| cisco_ise.log.acs.instance | | keyword | +| cisco_ise.log.acs.session.id | | keyword | +| cisco_ise.log.active_session.count | | long | +| cisco_ise.log.ad.admin | | keyword | +| cisco_ise.log.ad.domain.controller | | keyword | +| cisco_ise.log.ad.domain.name | | keyword | +| cisco_ise.log.ad.error.details | | keyword | +| cisco_ise.log.ad.forest | | keyword | +| cisco_ise.log.ad.hostname | | keyword | +| cisco_ise.log.ad.ip | | ip | +| cisco_ise.log.ad.log | | keyword | +| cisco_ise.log.ad.log_id | | keyword | +| cisco_ise.log.ad.organization_unit | | text | +| cisco_ise.log.ad.site | | keyword | +| cisco_ise.log.ad.srv.query | | keyword | +| cisco_ise.log.ad.srv.record | | keyword | +| cisco_ise.log.adapter_instance.name | | keyword | +| cisco_ise.log.adapter_instance.uuid | | keyword | +| cisco_ise.log.admin.interface | | keyword | +| cisco_ise.log.admin.session | | keyword | +| cisco_ise.log.airespace.wlan.id | | long | +| cisco_ise.log.allow.easy.wired.session | | keyword | +| cisco_ise.log.allowed_protocol.matched.rule | | keyword | +| cisco_ise.log.assigned_targets | | keyword | +| cisco_ise.log.auth.policy.matched.rule | | keyword | +| cisco_ise.log.authen_method | | keyword | +| cisco_ise.log.authentication.identity_store | | keyword | +| cisco_ise.log.authentication.method | | keyword | +| cisco_ise.log.authentication.status | | keyword | +| cisco_ise.log.average.radius.request.latency | | long | +| cisco_ise.log.average.tacacs.request.latency | | long | +| cisco_ise.log.avpair.disc.cause | | long | +| cisco_ise.log.avpair.disc.cause_ext | | long | +| cisco_ise.log.avpair.elapsed_time | | long | +| cisco_ise.log.avpair.pre_session_time | | long | +| cisco_ise.log.avpair.priv_lvl | | long | +| cisco_ise.log.avpair.start_time | | date | +| cisco_ise.log.avpair.stop_time | | date | +| cisco_ise.log.avpair.task_id | | keyword | +| cisco_ise.log.avpair.timezone | | keyword | +| cisco_ise.log.called_station.id | | keyword | +| cisco_ise.log.calling_station.id | | keyword | +| cisco_ise.log.category.name | | keyword | +| cisco_ise.log.cisco_av_pair.coa-push | | boolean | +| cisco_ise.log.cisco_av_pair.cts-device-capability | | keyword | +| cisco_ise.log.cisco_av_pair.cts-environment-data | | keyword | +| cisco_ise.log.cisco_av_pair.cts-environment-version | | keyword | +| cisco_ise.log.cisco_av_pair.cts-pac-opaque | | keyword | +| cisco_ise.log.class | | keyword | +| cisco_ise.log.client.latency | | long | +| cisco_ise.log.cmdset | | keyword | +| cisco_ise.log.component | | keyword | +| cisco_ise.log.config_change.data | | keyword | +| cisco_ise.log.config_version.id | | long | +| cisco_ise.log.connectivity | | keyword | +| cisco_ise.log.cpm.session.id | | keyword | +| cisco_ise.log.currentid.store_name | | keyword | +| cisco_ise.log.delta.radius.request.count | | long | +| cisco_ise.log.delta.tacacs.request.count | | long | +| cisco_ise.log.detailed_info | | text | +| cisco_ise.log.details | | keyword | +| cisco_ise.log.device.name | | keyword | +| cisco_ise.log.device.registration_status | | keyword | +| cisco_ise.log.device.type | | keyword | +| cisco_ise.log.dtls_support | | keyword | +| cisco_ise.log.eap.authentication | | keyword | +| cisco_ise.log.eap.chaining_result | | keyword | +| cisco_ise.log.eap.tunnel | | keyword | +| cisco_ise.log.eap_key.name | | keyword | +| cisco_ise.log.enable.flag | | keyword | +| cisco_ise.log.endpoint.coa | | keyword | +| cisco_ise.log.endpoint.mac.address | | keyword | +| cisco_ise.log.endpoint.policy | | keyword | +| cisco_ise.log.endpoint.profiler | | keyword | +| cisco_ise.log.endpoint.purge.id | | keyword | +| cisco_ise.log.endpoint.purge.rule | | keyword | +| cisco_ise.log.endpoint.purge.scheduletype | | keyword | +| cisco_ise.log.ep.identity_group | | keyword | +| cisco_ise.log.ep.mac.address | | keyword | +| cisco_ise.log.error.message | | keyword | +| cisco_ise.log.event.timestamp | | date | +| cisco_ise.log.failure.flag | | boolean | +| cisco_ise.log.failure.reason | | keyword | +| cisco_ise.log.feed_service.feed.name | | keyword | +| cisco_ise.log.feed_service.feed.version | | keyword | +| cisco_ise.log.feed_service.host | | keyword | +| cisco_ise.log.feed_service.port | | keyword | +| cisco_ise.log.feed_service.query.from_time | | date | +| cisco_ise.log.feed_service.query.to_time | | date | +| cisco_ise.log.file.name | | keyword | +| cisco_ise.log.first_name | | keyword | +| cisco_ise.log.framed.ip | | ip | +| cisco_ise.log.framed.mtu | | long | +| cisco_ise.log.groups.process_failure | | boolean | +| cisco_ise.log.guest.user.name | | keyword | +| cisco_ise.log.identity.group | | keyword | +| cisco_ise.log.identity.policy.matched.rule | | keyword | +| cisco_ise.log.identity.selection.matched.rule | | keyword | +| cisco_ise.log.ipsec | | keyword | +| cisco_ise.log.is_third_party_device_flow | | boolean | +| cisco_ise.log.ise.policy.set_name | | keyword | +| cisco_ise.log.last_name | | keyword | +| cisco_ise.log.local_logging | | keyword | +| cisco_ise.log.location | | keyword | +| cisco_ise.log.log_details | | text | +| cisco_ise.log.log_error.message | | keyword | +| cisco_ise.log.log_severity_level | | keyword | +| cisco_ise.log.logger.name | | keyword | +| cisco_ise.log.message.code | | keyword | +| cisco_ise.log.message.description | | text | +| cisco_ise.log.message.id | | keyword | +| cisco_ise.log.message.text | | keyword | +| cisco_ise.log.misconfigured.client.fix.reason | | keyword | +| cisco_ise.log.model.name | | keyword | +| cisco_ise.log.nas.identifier | | keyword | +| cisco_ise.log.nas.ip | | ip | +| cisco_ise.log.nas.port.id | | keyword | +| cisco_ise.log.nas.port.number | | long | +| cisco_ise.log.nas.port.type | | keyword | +| cisco_ise.log.network.device.groups | | keyword | +| cisco_ise.log.network.device.name | | keyword | +| cisco_ise.log.network.device.profile | | keyword | +| cisco_ise.log.network.device.profile_id | | keyword | +| cisco_ise.log.network.device.profile_name | | keyword | +| cisco_ise.log.object.internal.id | | keyword | +| cisco_ise.log.object.name | | keyword | +| cisco_ise.log.object.type | | keyword | +| cisco_ise.log.objects.purged | | keyword | +| cisco_ise.log.openssl.error.message | | keyword | +| cisco_ise.log.openssl.error.stack | | keyword | +| cisco_ise.log.operation.id | | keyword | +| cisco_ise.log.operation.status | | keyword | +| cisco_ise.log.operation.type | | keyword | +| cisco_ise.log.operation_counters.counters | | flattened | +| cisco_ise.log.operation_counters.original | | text | +| cisco_ise.log.operation_message.text | | keyword | +| cisco_ise.log.original.user.name | | keyword | +| cisco_ise.log.policy.type | | keyword | +| cisco_ise.log.port | | keyword | +| cisco_ise.log.portal.name | | keyword | +| cisco_ise.log.posture.assessment.status | | keyword | +| cisco_ise.log.privilege.level | | long | +| cisco_ise.log.probe | | keyword | +| cisco_ise.log.profiler.server | | keyword | +| cisco_ise.log.protocol | | keyword | +| cisco_ise.log.psn.hostname | | keyword | +| cisco_ise.log.radius.flow.type | | keyword | +| cisco_ise.log.radius.packet.type | | keyword | +| cisco_ise.log.radius_identifier | | long | +| cisco_ise.log.radius_packet.type | | keyword | +| cisco_ise.log.request.latency | | long | +| cisco_ise.log.request.received_time | | date | +| cisco_ise.log.request_response.type | | keyword | +| cisco_ise.log.response | | flattened | +| cisco_ise.log.segment.number | | long | +| cisco_ise.log.segment.total | | long | +| cisco_ise.log.selected.access.service | | keyword | +| cisco_ise.log.selected.authentication.identity_stores | | keyword | +| cisco_ise.log.selected.authorization.profiles | | keyword | +| cisco_ise.log.sequence.number | | long | +| cisco_ise.log.server.name | | keyword | +| cisco_ise.log.server.type | | keyword | +| cisco_ise.log.service.argument | | keyword | +| cisco_ise.log.service.name | | keyword | +| cisco_ise.log.service.type | | keyword | +| cisco_ise.log.session.timeout | | long | +| cisco_ise.log.severity.level | | long | +| cisco_ise.log.software.version | | keyword | +| cisco_ise.log.state | | text | +| cisco_ise.log.static.assignment | | boolean | +| cisco_ise.log.status | | keyword | +| cisco_ise.log.step | | keyword | +| cisco_ise.log.step_data | | keyword | +| cisco_ise.log.step_latency | | keyword | +| cisco_ise.log.sysstats.acs.process.health | | flattened | +| cisco_ise.log.sysstats.cpu.count | | long | +| cisco_ise.log.sysstats.process_memory_mb | | long | +| cisco_ise.log.sysstats.utilization.cpu | | double | +| cisco_ise.log.sysstats.utilization.disk.io | | double | +| cisco_ise.log.sysstats.utilization.disk.space | | keyword | +| cisco_ise.log.sysstats.utilization.load_avg | | double | +| cisco_ise.log.sysstats.utilization.memory | | double | +| cisco_ise.log.sysstats.utilization.network | | keyword | +| cisco_ise.log.tls.cipher | | keyword | +| cisco_ise.log.tls.version | | keyword | +| cisco_ise.log.total.authen.latency | | long | +| cisco_ise.log.total.failed_attempts | | long | +| cisco_ise.log.total.failed_time | | long | +| cisco_ise.log.tunnel.medium.type | | keyword | +| cisco_ise.log.tunnel.private.group_id | | keyword | +| cisco_ise.log.tunnel.type | | keyword | +| cisco_ise.log.type | | keyword | +| cisco_ise.log.undefined_52 | | keyword | +| cisco_ise.log.usecase | | keyword | +| cisco_ise.log.user.type | | keyword | +| cisco_ise.log.workflow | | flattened | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/cisco_ise/1.1.1/img/cisco-ise-logo.svg b/packages/cisco_ise/1.1.1/img/cisco-ise-logo.svg new file mode 100755 index 0000000000..43f57cb7fe --- /dev/null +++ b/packages/cisco_ise/1.1.1/img/cisco-ise-logo.svg @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + diff --git a/packages/cisco_ise/1.1.1/img/cisco-ise-screenshot.png b/packages/cisco_ise/1.1.1/img/cisco-ise-screenshot.png new file mode 100755 index 0000000000..bda562ccab Binary files /dev/null and b/packages/cisco_ise/1.1.1/img/cisco-ise-screenshot.png differ diff --git a/packages/cisco_ise/1.1.1/img/cisco-ise-setup.png b/packages/cisco_ise/1.1.1/img/cisco-ise-setup.png new file mode 100755 index 0000000000..c6e2b94b6c Binary files /dev/null and b/packages/cisco_ise/1.1.1/img/cisco-ise-setup.png differ diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..51ec87e937 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_Internal_Operations_Diagnostics\",\"CISE_Threat_Centric_NAC\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Internal_Operations_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Threat_Centric_NAC\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9bd4d444-de17-43de-beb0-89d4d4ecc187\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"9bd4d444-de17-43de-beb0-89d4d4ecc187\",\"panelRefName\":\"panel_0\",\"title\":\"System Diagnostics Log Stream for Threat Centric NAC [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3d8fa06f-bd70-438d-bbcb-778dc278d228\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d8fa06f-bd70-438d-bbcb-778dc278d228\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"7dd60577-882f-4428-adf4-9ec7048032dc\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7dd60577-882f-4428-adf4-9ec7048032dc\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db158b71-11fd-4950-b0e4-e9e4893aaebb\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"db158b71-11fd-4950-b0e4-e9e4893aaebb\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"c6007a66-0f97-4948-a6f9-313a47c00f42\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"c6007a66-0f97-4948-a6f9-313a47c00f42\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1a99a183-dc6e-4412-8d81-46f53eb295f5\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"1a99a183-dc6e-4412-8d81-46f53eb295f5\",\"panelRefName\":\"panel_5\",\"title\":\"System Diagnostics Log Stream for Internal Operations Diagnostics [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] System Diagnostics", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9", + "name": "panel_5", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..6a46b9fbd2 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":{\"query\":\"CISE_Posture_and_Client_Provisioning_Audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Posture_and_Client_Provisioning_Audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"22a9db51-a883-4947-b41b-2c06ce7e492e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"22a9db51-a883-4947-b41b-2c06ce7e492e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":14,\"i\":\"03ebbffc-5648-4560-9510-5f27f7c59da9\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"03ebbffc-5648-4560-9510-5f27f7c59da9\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":14,\"i\":\"ca7116cf-93be-4a75-99e2-3ee133c367aa\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"ca7116cf-93be-4a75-99e2-3ee133c367aa\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b847c86c-1ef1-4ef4-afed-baac77ee2ce0\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"b847c86c-1ef1-4ef4-afed-baac77ee2ce0\",\"panelRefName\":\"panel_3\",\"title\":\"Posture and Client Provisioning Audit Log Stream [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] Posture and Client Provisioning Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..e71b4f24e4 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":{\"query\":\"CISE_System_Statistics\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_System_Statistics\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d7a85d7c-eb7a-4f92-8f90-205c60ed892b\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"d7a85d7c-eb7a-4f92-8f90-205c60ed892b\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0674168e-3642-43ed-8251-3a03f5880371\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"0674168e-3642-43ed-8251-3a03f5880371\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"57265bb8-6c32-4d2f-a3e3-376d5ab35a8d\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"57265bb8-6c32-4d2f-a3e3-376d5ab35a8d\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b3238d64-db19-4274-ae79-e2870bf314e4\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b3238d64-db19-4274-ae79-e2870bf314e4\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] System Statistics", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..7c938f0565 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_Failed_Attempts\",\"CISE_Passed_Authentications\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Failed_Attempts\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Passed_Authentications\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6ec5efbd-54ba-4c2c-8213-3cfa11fa25dd\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"6ec5efbd-54ba-4c2c-8213-3cfa11fa25dd\",\"panelRefName\":\"panel_0\",\"title\":\"Top 10 Device IP Address [Logs Cisco ISE]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4232cb43-a1cb-45e2-8f8b-e523232e41bc\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4232cb43-a1cb-45e2-8f8b-e523232e41bc\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a41df091-467a-48a5-a4c4-bfdda2c964ae\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"a41df091-467a-48a5-a4c4-bfdda2c964ae\",\"panelRefName\":\"panel_2\",\"title\":\"Top 10 Network Device Names [Logs Cisco ISE]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2ed21712-e74e-4d26-a3e8-6888e2d3ee46\",\"w\":16,\"x\":16,\"y\":15},\"panelIndex\":\"2ed21712-e74e-4d26-a3e8-6888e2d3ee46\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"85db9e7a-7390-4797-bef4-98b487427c43\",\"w\":16,\"x\":32,\"y\":15},\"panelIndex\":\"85db9e7a-7390-4797-bef4-98b487427c43\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7b136990-2ba1-4f99-9e0b-55b00b76bbd4\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"7b136990-2ba1-4f99-9e0b-55b00b76bbd4\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1f6e0bdd-f67b-431e-8634-1299c4e5a605\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1f6e0bdd-f67b-431e-8634-1299c4e5a605\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"64f258c3-4824-4d67-b083-e8e02ba926cc\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"64f258c3-4824-4d67-b083-e8e02ba926cc\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1ff51a84-32bb-4147-bc8a-cc5e13abfd6d\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"1ff51a84-32bb-4147-bc8a-cc5e13abfd6d\",\"panelRefName\":\"panel_8\",\"title\":\" Distribution of Events by User Type [Logs Cisco ISE]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"cc4bf643-08b2-4500-841d-ad8216532309\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"cc4bf643-08b2-4500-841d-ad8216532309\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"5b616616-c8a5-44ed-ac39-cf94acf2d625\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"5b616616-c8a5-44ed-ac39-cf94acf2d625\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"c823be14-f41c-434a-98ed-434b7da90ac9\",\"w\":48,\"x\":0,\"y\":75},\"panelIndex\":\"c823be14-f41c-434a-98ed-434b7da90ac9\",\"panelRefName\":\"panel_11\",\"title\":\"AAA Audit Log Stream [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] AAA Audit ", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83", + "name": "panel_11", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..f03bd2268f --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_Authentication_Flow_Diagnostics\",\"CISE_Guest\",\"CISE_MyDevices\",\"CISE_Identity_Stores_Diagnostics\",\"CISE_Policy_Diagnostics\",\"CISE_RADIUS_Diagnostics\",\"CISE_AD_Connector\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Authentication_Flow_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Guest\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_MyDevices\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Identity_Stores_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Policy_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_RADIUS_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_AD_Connector\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9bad5a17-973e-428d-a97e-35e870506076\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"9bad5a17-973e-428d-a97e-35e870506076\",\"panelRefName\":\"panel_0\",\"title\":\"AAA Diagnostics Log Stream [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a711fab4-5b3c-4772-be34-ba329076bbc3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"a711fab4-5b3c-4772-be34-ba329076bbc3\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bbff4d11-a1cc-41ea-9834-d0a3781dbd86\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bbff4d11-a1cc-41ea-9834-d0a3781dbd86\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"a1145565-ccd8-4dd5-8ba2-fa9b46906a2b\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"a1145565-ccd8-4dd5-8ba2-fa9b46906a2b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"d10d59ee-c92b-4e28-81c4-1017be59bdfb\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"d10d59ee-c92b-4e28-81c4-1017be59bdfb\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0e3b4705-dd8a-42d7-9992-eefe9239160b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0e3b4705-dd8a-42d7-9992-eefe9239160b\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"251e4695-f4fb-4f6d-98e0-4a822942b58d\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"251e4695-f4fb-4f6d-98e0-4a822942b58d\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"94954f66-f728-4b2e-b7d3-024a4d21559a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"94954f66-f728-4b2e-b7d3-024a4d21559a\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1156a6e4-bf5a-4628-97c1-1d48296960e2\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"1156a6e4-bf5a-4628-97c1-1d48296960e2\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3db21693-851e-4584-8e01-92706e033703\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"3db21693-851e-4584-8e01-92706e033703\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"17cdfe86-a58c-4490-b253-7276fac9a458\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"17cdfe86-a58c-4490-b253-7276fac9a458\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"457e1c7e-32ae-4969-af38-81a02e0b0341\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"457e1c7e-32ae-4969-af38-81a02e0b0341\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"efaff3d9-6694-4adc-9b22-edd21d590852\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"efaff3d9-6694-4adc-9b22-edd21d590852\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"68e83de8-a2b3-4531-9e7a-80812495ef75\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"68e83de8-a2b3-4531-9e7a-80812495ef75\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"9246074a-85cc-4cc3-a2df-6ebfe2db993e\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"9246074a-85cc-4cc3-a2df-6ebfe2db993e\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"49bb018b-cab3-41c8-91b7-cdc8e30453dc\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"49bb018b-cab3-41c8-91b7-cdc8e30453dc\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] AAA Diagnostics", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_15", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..87f4670361 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_RADIUS_Accounting\",\"CISE_TACACS_Accounting\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_RADIUS_Accounting\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_TACACS_Accounting\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c9b722c7-e508-4447-8112-230e3858b5b8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c9b722c7-e508-4447-8112-230e3858b5b8\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"216c30b3-1a72-498f-939b-11462bb0adb7\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"216c30b3-1a72-498f-939b-11462bb0adb7\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"8edd6fd7-b66b-4ee6-b542-b1e7ccd26fa4\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"8edd6fd7-b66b-4ee6-b542-b1e7ccd26fa4\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b6b0bc79-1ddb-461b-97c4-f814c1267e58\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b6b0bc79-1ddb-461b-97c4-f814c1267e58\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"77492870-ccbf-400a-ae2e-97fe9f39cd0d\",\"w\":16,\"x\":0,\"y\":30},\"panelIndex\":\"77492870-ccbf-400a-ae2e-97fe9f39cd0d\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"9abde76e-d49b-409c-924b-dd9c81c1dcea\",\"w\":16,\"x\":16,\"y\":30},\"panelIndex\":\"9abde76e-d49b-409c-924b-dd9c81c1dcea\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ec663b72-467e-4ec0-ae7f-f023109ea50f\",\"w\":16,\"x\":32,\"y\":30},\"panelIndex\":\"ec663b72-467e-4ec0-ae7f-f023109ea50f\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"044c8085-11e7-40e3-a09b-bd994ce198aa\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"044c8085-11e7-40e3-a09b-bd994ce198aa\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6e5ca98d-df46-45a1-8014-cf16a3028dc2\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"6e5ca98d-df46-45a1-8014-cf16a3028dc2\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"371949ed-d67c-438f-a91a-3875e86edaf8\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"371949ed-d67c-438f-a91a-3875e86edaf8\",\"panelRefName\":\"panel_9\",\"title\":\"Accounting Log Stream [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] Accounting", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83", + "name": "panel_9", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..4130deba44 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":{\"query\":\"CISE_Administrative_and_Operational_Audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Administrative_and_Operational_Audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"70611ce1-8cc4-4e59-bca1-2f60acd5603f\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"70611ce1-8cc4-4e59-bca1-2f60acd5603f\",\"panelRefName\":\"panel_0\",\"title\":\"Administrative and Operational Audit Log Stream [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"973be120-1985-476b-939a-b0b82e570d33\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"973be120-1985-476b-939a-b0b82e570d33\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"755e7622-d79b-4ffc-a60f-df3b3dddeb86\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"755e7622-d79b-4ffc-a60f-df3b3dddeb86\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e63be268-5af1-469b-aba7-89d3d43e2d00\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"e63be268-5af1-469b-aba7-89d3d43e2d00\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"09a67f64-cb54-4976-a2a4-3fe6d891a44b\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"09a67f64-cb54-4976-a2a4-3fe6d891a44b\",\"panelRefName\":\"panel_4\",\"title\":\" Distribution of Events by Failure Flag [Logs Cisco ISE]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d18cccfc-3613-4ca0-9a7a-9ff58bf40e7f\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"d18cccfc-3613-4ca0-9a7a-9ff58bf40e7f\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] Administrative and Operational Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9", + "name": "panel_5", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..38c217dfcd --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/dashboard/cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"5034ffff-f024-4fac-94c2-8aa800dfe04d\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"5034ffff-f024-4fac-94c2-8aa800dfe04d\",\"panelRefName\":\"panel_0\",\"title\":\"Log Stream [Logs Cisco ISE]\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"5864db90-ff57-40e6-b605-b6d86b7fea43\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5864db90-ff57-40e6-b605-b6d86b7fea43\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"06cec002-64bd-4f18-a966-1b6fc2bfd4cf\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"06cec002-64bd-4f18-a966-1b6fc2bfd4cf\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Cisco ISE] Cisco ISE Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-ed406dd0-a0ff-11ec-a0a2-1598702abf83", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83", + "name": "panel_0", + "type": "search" + }, + { + "id": "cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83", + "name": "panel_2", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9.json new file mode 100755 index 0000000000..f2f7caa6c2 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.logger.name", + "cisco_ise.log.message.description" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_Internal_Operations_Diagnostics\",\"CISE_Threat_Centric_NAC\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Internal_Operations_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Threat_Centric_NAC\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "System Diagnostics Search 1" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2c7c0eb0-a505-11ec-ab9d-4b8e737a22d9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..9db73c774d --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.category.name", + "cisco_ise.log.message.description" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_AD_Connector\",\"CISE_Authentication_Flow_Diagnostics\",\"CISE_Guest\",\"CISE_Identity_Stores_Diagnostics\",\"CISE_MyDevices\",\"CISE_RADIUS_Diagnostics\",\"CISE_Policy_Diagnostics\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_AD_Connector\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Authentication_Flow_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Guest\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Identity_Stores_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_MyDevices\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_RADIUS_Diagnostics\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Policy_Diagnostics\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "AAA Diagnostics search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-39e47010-a09b-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..67a0bbbb09 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.operation.id", + "cisco_ise.log.operation.status", + "cisco_ise.log.operation.type" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":{\"query\":\"CISE_Posture_and_Client_Provisioning_Audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Posture_and_Client_Provisioning_Audit\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Posture and Client Provisioning Audit search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-47c77dc0-a065-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..705a7bbdfb --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.message.description", + "log.syslog.priority", + "event.original", + "cisco_ise.log.category.name", + "log.level" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Cisco ISE Search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-5f739b70-a0a6-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..044a3d2951 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.message.description", + "cisco_ise.log.operation_message.text" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":{\"query\":\"CISE_Administrative_and_Operational_Audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Administrative_and_Operational_Audit\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [], + "title": "Administrative and Operational Audit" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-ac5b9ba0-a02d-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..184ac1d352 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "cisco_ise.log.operation_message.text", + "cisco_ise.log.message.description", + "cisco_ise.log.category.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_Failed_Attempts\",\"CISE_Passed_Authentications\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Failed_Attempts\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Passed_Authentications\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "AAA Audit search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-d1ba7b80-a075-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..3c79c81519 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.adapter_instance.name", + "cisco_ise.log.status", + "cisco_ise.log.connectivity" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":{\"query\":\"CISE_Threat_Centric_NAC\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_Threat_Centric_NAC\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "System Diagnostics search 2" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-eecf4510-a058-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..e0301f3285 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/search/cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "cisco_ise.log.message.description", + "cisco_ise.log.category.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_ise.log.category.name\",\"negate\":false,\"params\":[\"CISE_RADIUS_Accounting\",\"CISE_TACACS_Accounting\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_RADIUS_Accounting\"}},{\"match_phrase\":{\"cisco_ise.log.category.name\":\"CISE_TACACS_Accounting\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Accounting search" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f681d1f0-a09f-11ec-a0a2-1598702abf83", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..8044e8670f --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Failed Attempts by Radius Packet Type [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Radius Packet Type\",\"field\":\"cisco_ise.log.radius_packet.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Distribution of Failed Attempts by Radius Packet Type [Logs Cisco ISE]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-012b7990-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..62cfcf4ff6 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Network Device Profile for TACACS Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Network Device Profile \",\"field\":\"cisco_ise.log.network.device.profile\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Network Device Profile for TACACS Accounting [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-027d6310-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..fc1d27f223 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Authentication Method [Logs Cisco ISE]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Authentication Method\",\"field\":\"cisco_ise.log.authentication.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Authentication Method [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-050c3630-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..5f658aa1e0 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Service for TACACS Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Service Name\",\"field\":\"cisco_ise.log.service.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Service for TACACS Accounting [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-06ba9790-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..0d65b57d9b --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Controls [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cisco_ise.log.category.name\",\"id\":\"1646939756945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Log Category\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"log.level\",\"id\":\"1646939807026\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Log Severity\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":10,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"Controls [Logs Cisco ISE]\",\"type\":\"input_control_vis\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-0750e560-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..593466ca76 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by NAS Port Type [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"NAS Port Type\",\"field\":\"cisco_ise.log.nas.port.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Distribution of Events by NAS Port Type [Logs Cisco ISE]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-0aeabea0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..9ff8dfefe6 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Dashboards", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**[AAA Audit](\\u003c#/dashboard/cisco_ise-92227880-a0ff-11ec-a0a2-1598702abf83\\u003e)**\\n\\n**[AAA Diagnostics](\\u003c#/dashboard/cisco_ise-a09f1e90-a0ff-11ec-a0a2-1598702abf83\\u003e)**\\n\\n**[Accounting](\\u003c#/dashboard/cisco_ise-aea97ad0-a0ff-11ec-a0a2-1598702abf83\\u003e)**\\n\\n**[Administrative and Operational Audit](\\u003c#/dashboard/cisco_ise-d320a780-a0ff-11ec-a0a2-1598702abf83\\u003e)**\\n\\n**[Posture and Client Provisioning Audit](\\u003c#/dashboard/cisco_ise-1eaf5e30-a114-11ec-a0a2-1598702abf83\\u003e)**\\n\\n**[System Diagnostics](\\u003c#/dashboard/cisco_ise-04d54380-a100-11ec-a0a2-1598702abf83\\u003e)**\\n\\n**[System Statistics](\\u003c#/dashboard/cisco_ise-2506b030-a100-11ec-a0a2-1598702abf83\\u003e)**\\n\\n\",\"openLinksInNewTab\":true},\"title\":\"Dashboards\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-0b577980-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..67ff964057 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Admin Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Admin Name\",\"field\":\"client.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Admin Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-1b9e7f50-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..08cdb3bff7 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Operation Status [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation Status\",\"field\":\"cisco_ise.log.operation.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Operation Status [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2228ff30-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..627810f84a --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Model Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Model Name\",\"field\":\"cisco_ise.log.model.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Model Name [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-2bba8e30-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..a914fc96d7 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Operation Type [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operation Type\",\"field\":\"cisco_ise.log.operation.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Operation Type [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-3153bf90-a2c2-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..811e91597d --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Network Device Profile Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Network Device Profile Name\",\"field\":\"cisco_ise.log.network.device.profile_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Network Device Profile Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-34024e70-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..b124f976bc --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Portals Used [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Portal Name\",\"field\":\"cisco_ise.log.portal.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Portals Used [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-3b4f8210-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..f2230f5d7e --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Adapter Instance Name for Threat Centric NAC [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Adapter Instance Name\",\"field\":\"cisco_ise.log.adapter_instance.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Adapter Instance Name for Threat Centric NAC [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-581310d0-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..da44688a04 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "CPU Utilization Over Time [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"da582c56-5800-465a-a7e7-b2f0ab6df619\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"e6d7aa64-0073-4cf0-a69a-8eb06867f465\",\"label\":\"CPU Utilization \",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_ise.log.sysstats.utilization.cpu\",\"id\":\"cf165805-c812-4988-9c1a-ea442e767edc\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"CPU Utilization Over Time [Logs Cisco ISE]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-59f3a390-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..e54222ab83 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Memory Utilization Over Time [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"eb6e177b-8e7e-4d71-ac31-db9346ccb88b\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"b1c76318-e21a-4547-979f-45ab45e40dd6\",\"label\":\"Memory Utilization\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_ise.log.sysstats.utilization.memory\",\"id\":\"3ee7cec2-d8fd-4601-8b57-40922cddfc56\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Memory Utilization Over Time [Logs Cisco ISE]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-5ebcc460-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..9c90060073 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Disk IO Utilization Over Time [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"ea254bb6-fa55-42c5-b3d6-39127b9d0901\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"18a38b8f-685b-4dce-b54a-d18a9b013d1d\",\"label\":\"Disk IO Utilization\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_ise.log.sysstats.utilization.disk.io\",\"id\":\"8d17df3d-e242-4871-b5f0-60a358e23361\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Disk IO Utilization Over Time [Logs Cisco ISE]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-61fad860-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..ce22d254a2 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Threat Centric NAC by Connectivity [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connectivity\",\"field\":\"cisco_ise.log.connectivity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Threat Centric NAC by Connectivity [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-63dca4d0-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..82f8110ff9 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Utilization Load Average Over Time [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"3ec57505-d66e-4bb7-b331-42eb113c6268\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"fb9524f8-52cd-4bb1-9a96-90a0a600d3f6\",\"label\":\"Utilization load average \",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_ise.log.sysstats.utilization.load_avg\",\"id\":\"3ce8aa40-c99c-4760-9449-9a4e14cfe06d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":null,\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Utilization Load Average Over Time [Logs Cisco ISE]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-65d46910-a0ef-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..2eefcc57c0 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 User Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 User Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-66fd57b0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..9138046623 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Logger Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Logger Name\",\"field\":\"cisco_ise.log.logger.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Logger Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-68a0bc90-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..07f285d64c --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Threat Centric NAC by Status [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Status\",\"field\":\"cisco_ise.log.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Threat Centric NAC by Status [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-6d984060-a0fc-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..4b2285ad29 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 AD IP Address for AD Connector [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"AD IP Address\",\"field\":\"cisco_ise.log.ad.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 AD IP Address for AD Connector [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-6e302580-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..733062a170 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Device IP [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device IP Address\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Device IP [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-73fafee0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..d8995723b7 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 IP Address For AAA Diagnostics [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP Address\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 IP Address For AAA Diagnostics [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-78c07630-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..41dd3b1829 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Authentication Method for AAA Diagnostics [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Authentication Method\",\"field\":\"cisco_ise.log.authentication.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Distribution of Events by Authentication Method for AAA Diagnostics [Logs Cisco ISE]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-80d71450-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..b43b667a1c --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Admin Interface [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Admin Interface\",\"field\":\"cisco_ise.log.admin.interface\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Distribution of Events by Admin Interface [Logs Cisco ISE]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-84d3a0e0-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..12db334fca --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Client IP for Administrative and Operational Audit [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IP\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Client IP for Administrative and Operational Audit [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-8794e3c0-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..d21fa0398c --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Current ID Store Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Current ID Store Name\",\"field\":\"cisco_ise.log.currentid.store_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Distribution of Events by Current ID Store Name [Logs Cisco ISE]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-88ae5f80-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..f65cb2ba2a --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by User Type [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Type\",\"field\":\"cisco_ise.log.user.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by User Type [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-8a8cb1e0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..64db43ae45 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Selected Access Service [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Selected Access Service\",\"field\":\"cisco_ise.log.selected.access.service\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Selected Access Service [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-8dad8470-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..8955e80420 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Object Type [Logs Cisco ISE]", + "uiStateJSON": "{\"table\":null,\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"cisco_ise.log.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Object Type [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-941348d0-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..147077e3b6 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Authentication Identity Store [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Authentication Identity Store\",\"field\":\"cisco_ise.log.authentication.identity_store\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Authentication Identity Store [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-944f35d0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..d99e6b2e56 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Radius Diagnostics by EAP Authentication [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"EAP Authentication\",\"field\":\"cisco_ise.log.eap.authentication\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Radius Diagnostics by EAP Authentication [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-984ddab0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..be2ca27317 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Radius Diagnostics by EAP Tunnel [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"EAP Tunnel\",\"field\":\"cisco_ise.log.eap.tunnel\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Radius Diagnostics by EAP Tunnel [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-9bc06c30-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..bdbcc9a07d --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Portal Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Portal Name\",\"field\":\"cisco_ise.log.portal.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Portal Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-9fe20260-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..56ff195220 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Failure Flag [Logs Cisco ISE]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Failure Flag\",\"field\":\"cisco_ise.log.failure.flag\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Failure Flag [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-a3da4930-a0fb-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9.json new file mode 100755 index 0000000000..73696d308c --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Admin Name [Logs Cisco ISE]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Admin Name\",\"field\":\"client.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Admin Name [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-af96b550-a502-11ec-ab9d-4b8e737a22d9", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..77bb2309a3 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Guest User Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Guest User Name\",\"field\":\"cisco_ise.log.guest.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Guest User Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-b4f66430-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..60a71ebb35 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Device Name for My Devices [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"cisco_ise.log.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Device Name for My Devices [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-b963a960-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..dc005a0c81 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Policy Diagnostics by Policy Type [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Type\",\"field\":\"cisco_ise.log.policy.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Policy Diagnostics by Policy Type [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-bee544c0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..ed7060875a --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 NAS IP Address for Radius Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"NAS IP Address\",\"field\":\"cisco_ise.log.nas.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 NAS IP Address for Radius Accounting [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-c9dd8990-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..5a281c1eb6 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of AD Connector Events by AD Hostname [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"AD Hostname\",\"field\":\"cisco_ise.log.ad.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of AD Connector Events by AD Hostname [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-d6278da0-a0f9-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..50f08b0511 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Radius Accounting by NAS Port Type [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"NAS Port Type\",\"field\":\"cisco_ise.log.nas.port.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Radius Accounting by NAS Port Type [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-e419b180-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..6678436f6d --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Radius Accounting by Accounting Terminate Cause [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Accounting Terminate Cause\",\"field\":\"cisco_ise.log.acct.terminate_cause\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Radius Accounting by Accounting Terminate Cause [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-e959b000-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..4cf80ca3f6 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Device IP Address [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device IP Address\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Device IP Address [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f03a5110-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..eeffbc6899 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Device IP Address for Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device IP Address\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Device IP Address for Accounting [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f0977a50-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..a8a52ff1a3 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Protocol [Logs Cisco ISE]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Protocol [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f484a4f0-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..756717b2b6 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Network Device Name for Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Network Device Name\",\"field\":\"cisco_ise.log.network.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Network Device Name for Accounting [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f5a39790-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..d2abdffcda --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 Network Device Names [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Network Device Name\",\"field\":\"cisco_ise.log.network.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Network Device Names [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-f8c64640-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..f0846a722d --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 User Name for Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 User Name for Accounting [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-fb519a20-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..fdb8d48831 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Top 10 User Name [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 User Name [Logs Cisco ISE]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-fd5bace0-a0f8-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83.json b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83.json new file mode 100755 index 0000000000..51591074b7 --- /dev/null +++ b/packages/cisco_ise/1.1.1/kibana/visualization/cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"cisco_ise.log\\\" \"}}" + }, + "title": "Distribution of Events by Selected Access Service for Accounting [Logs Cisco ISE]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Selected Access Service\",\"field\":\"cisco_ise.log.selected.access.service\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Events by Selected Access Service for Accounting [Logs Cisco ISE]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_ise-ff685ae0-a0fa-11ec-a0a2-1598702abf83", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_ise/1.1.1/manifest.yml b/packages/cisco_ise/1.1.1/manifest.yml new file mode 100755 index 0000000000..7c2bb60620 --- /dev/null +++ b/packages/cisco_ise/1.1.1/manifest.yml @@ -0,0 +1,98 @@ +format_version: 1.0.0 +name: cisco_ise +title: Cisco ISE +version: "1.1.1" +license: basic +description: Collect logs from Cisco ISE with Elastic Agent. +type: integration +categories: + - security +release: ga +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/cisco-ise-screenshot.png + title: Cisco ISE dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/cisco-ise-logo.svg + title: Cisco ISE logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Cisco ISE + title: Cisco_ISE logs + description: Collect cisco_ise logs + inputs: + - type: tcp + title: Collect Cisco ISE logs via TCP input + description: Collecting Cisco ISE logs via TCP input + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9025 + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: udp + title: Collect Cisco ISE logs via UDP input + description: Collecting Cisco ISE logs via UDP input + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9026 +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_meraki/1.2.3/LICENSE.txt b/packages/cisco_meraki/1.2.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_meraki/1.2.3/changelog.yml b/packages/cisco_meraki/1.2.3/changelog.yml new file mode 100755 index 0000000000..1640e44374 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/changelog.yml @@ -0,0 +1,111 @@ +# newer versions go on top +- version: "1.2.3" + changes: + - description: Improve handling of flows events. + type: bugfix + link: https://github.com/elastic/integrations/issues/4352 +- version: "1.2.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "1.2.1" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "1.2.0" + changes: + - description: Add preserve_original_event function to default pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4097 +- version: "1.1.2" + changes: + - description: Fix MAC address formatting. + type: bugfix + link: https://github.com/elastic/integrations/issues/4283 +- version: "1.1.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.1.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3924 +- version: "1.0.1" + changes: + - description: Fix client.geo.location mapping + type: bugfix + link: https://github.com/elastic/integrations/pull/3941 +- version: "1.0.0" + changes: + - description: Make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/3859 +- version: "0.6.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "0.6.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.5.1" + changes: + - description: Fix doc build + type: enhancement + link: https://github.com/elastic/integrations/pull/3529 +- version: "0.5.0" + changes: + - description: Replace RSA2ELK with Syslog and Webhook integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2897 +- version: "0.4.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.4.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2580 +- version: "0.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2270 +- version: "0.2.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1956 +- version: "0.2.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1808 +- version: "0.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1785 +- version: "0.1.0" + changes: + - description: Initial commit splitting Cisco meraki from general Cisco package + type: enhancement + link: https://github.com/elastic/integrations/pull/1587 diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/1.2.3/data_stream/events/agent/stream/http_endpoint.yml.hbs new file mode 100755 index 0000000000..1203728f14 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,41 @@ +type: http_endpoint +enabled: true +prefix: json + +{{#if listen_address}} +listen_address: {{listen_address}} +{{/if}} +{{#if listen_port}} +listen_port: {{listen_port}} +{{/if}} +{{#if url}} +url: {{url}} +{{/if}} + +{{#if secret_value}} +secret.header: Authorization +secret.value: "{{secret_value}}" +{{/if}} + +{{#if ssl}} +ssl: {{ssl}} +{{/if}} + +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.2.3/data_stream/events/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..ace8dc48cb --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,300 @@ +--- +description: Pipeline for processing Cisco Meraki events +processors: +- set: + field: ecs.version + value: '8.4.0' +- set: + field: observer.serial_number + copy_from: json.deviceSerial +- gsub: + field: json.deviceMac + target_field: observer.mac + pattern: '[-:.]' + replacement: '-' +- set: + field: observer.name + copy_from: json.deviceName +- set: + field: observer.vendor + value: Cisco +- set: + field: observer.product + copy_from: json.deviceModel +- set: + field: network.name + copy_from: json.networkName +- date: + field: json.occurredAt + formats: + - ISO8601 +- set: + field: organization.id + copy_from: json.organizationId +- set: + field: organization.name + copy_from: json.organizationName +- set: + field: log.level + copy_from: json.alertLevel +- append: + field: event.category + value: network +- append: + field: event.type + value: info +- script: + lang: painless + description: The script sets event type, action and category based on type and sub-type fields + params: + eventmap: + "started_reporting": + type: + - start + "stopped_reporting": + type: + - end + "foreign_ap": + category: + - intrusion_detection + - threat + type: + - indicator + "bluetooth_in": + type: + - start + "bluetooth_out": + type: + - end + "port_cable_error": + type: + - connection + "node_hardware_failure": + category: + - host + type: + - end + "cellular_up": + type: + - start + "cellular_down": + type: + - end + "umbrella_expiring": + category: + - configuration + "ip_conflict": + type: + - protocol + "rogue_ap_association": + category: + - threat + type: + - indicator + "client_connectivity": + category: + - session + type: + - connection + "pcc_security_compliance": + category: + - configuration + "pcc_security_violation": + category: + - configuration + - threat + type: + - change + - indicator + "pcc_outage_end": + category: + - host + type: + - connection + "pcc_enrollment": + category: + - session + type: + - connection + - start + "geofencing_out": + type: + - connection + "pcc_outage_begin": + category: + - host + type: + - connection + - end + "dhcp_no_leases": + type: + - connection + - denied + - protocol + "vrrp": + category: + - configuration + type: + - change + "pcc_expired_apns_cert": + category: + - authentication + "amp_malware_blocked": + category: + - threat + - intrusion_detection + type: + - indicator + - denied + "amp_malware_detected": + category: + - threat + - intrusion_detection + type: + - indicator + - allowed + "pcc_sw_found": + category: + - host + - configuration + type: + - change + "pcc_unmanaged": + category: + - configuration + - iam + type: + - change + - deletion + "dhcp_alerts": + type: + - protocol + "power_supply_up": + type: + - start + "power_supply_down": + category: + - host + type: + - end + "unreachable_radius_server": + category: + - authentication + type: + - end + - denied + "rogue_ap": + category: + - threat + type: + - indicator + "rogue_dhcp": + category: + - threat + type: + - indicator + "settings_changed": + category: + - configuration + type: + - change + "port_connected": + type: + - connection + "port_disconnected": + type: + - end + "port_speed_change": + category: + - configuration + type: + - change + - protocol + "udld_error": + type: + - connection + - end + "uplink_ip6_conflict": + type: + - protocol + if: ctx?.json?.alertTypeId != null + source: |- + def alertTypeId = ctx.json.alertTypeId; + def eventMap = params.get('eventmap'); + def eventData = eventMap.get(alertTypeId); + ctx.event.action = ctx.json.alertType; + if (eventData == null) { + // Unclassified events + // - geofencing_in, critical_temperature + // - gateway_to_repeater, mi_alert + // - motion_alert, usage_alert + // - new_splash_signup, rps_base_supply_up + // - rps_backup, vpn_connectivity_change + return; + } + def eventCategory = eventData.get('category'); + if (eventCategory != null) { + for (def c : eventCategory) { + ctx.event.category.add(c); + } + } + def eventType = eventData.get('type'); + if (eventType != null) { + for (def t : eventType) { + ctx.event.type.add(t); + } + } +- rename: + field: json + target_field: cisco_meraki.event +## +# Clean up +## +- remove: + field: + - cisco_meraki.event.deviceSerial + - cisco_meraki.event.deviceMac + - cisco_meraki.event.deviceName + - cisco_meraki.event.deviceModel + - cisco_meraki.event.occurredAt + - cisco_meraki.event.networkName + - cisco_meraki.event.organizationId + - cisco_meraki.event.organizationName + - cisco_meraki.event.alertType + - cisco_meraki.event.alertLevel + ignore_missing: true +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/fields/agent.yml b/packages/cisco_meraki/1.2.3/data_stream/events/fields/agent.yml new file mode 100755 index 0000000000..4c4f4b2d93 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/fields/agent.yml @@ -0,0 +1,179 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. +- name: log.offset + type: long + description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/1.2.3/data_stream/events/fields/base-fields.yml new file mode 100755 index 0000000000..fcbdca9da6 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_meraki +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_meraki.events +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/1.2.3/data_stream/events/fields/ecs.yml new file mode 100755 index 0000000000..8c199ac34a --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/fields/ecs.yml @@ -0,0 +1,685 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: server.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: VLAN ID as reported by the observer. + name: network.vlan.id + type: keyword +- description: |- + The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + While not required, you can use a MITRE ATT&CK® software type. + name: threat.software.type + type: keyword +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: Name of the file including the extension, without the directory. + name: threat.indicator.file.name + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + name: client.geo.location.lat + type: geo_point +- description: Longitude and latitude. + name: client.geo.location.lon + type: geo_point +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: organization.name + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/fields/fields.yml b/packages/cisco_meraki/1.2.3/data_stream/events/fields/fields.yml new file mode 100755 index 0000000000..7443e7680a --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/fields/fields.yml @@ -0,0 +1,72 @@ +- name: cisco_meraki + type: group + fields: + - name: event + type: group + fields: + - name: version + type: keyword + description: Current version of webhook format + - name: sharedSecret + type: keyword + description: User defined secret to be validated by the webhook receiver (optional) + - name: sentAt + type: date + description: Timestamp of the sent message (UTC) + - name: organizationId + type: keyword + description: ID of the Meraki organization + - name: organizationName + type: keyword + description: Name of the Meraki organization + - name: organizationUrl + type: keyword + description: URL of the Meraki Dashboard organization + - name: networkId + type: keyword + description: ID for the Meraki network + - name: networkName + type: keyword + description: Name for the Meraki network + - name: networkUrl + type: keyword + description: URL of the Meraki Dashboard network + - name: networkTags + type: keyword + description: Tags assigned to the Meraki network + - name: deviceSerial + type: keyword + description: Serial number of the Meraki device + - name: deviceMac + type: keyword + description: MAC address of the Meraki device + - name: deviceName + type: keyword + description: Name assigned to the Meraki device + - name: deviceUrl + type: keyword + description: URL of the Meraki device + - name: deviceTags + type: keyword + description: Tags assigned to the Meraki device + - name: deviceModel + type: keyword + description: Meraki device model + - name: alertId + type: keyword + description: ID for this alert message + - name: alertType + type: keyword + description: Type of alert (“Network usage alert”, “Settings changed”, etc.) + - name: alertTypeId + type: keyword + description: Unique ID for the type of alert + - name: alertLevel + type: keyword + description: Alert level (informational, critical etc.) + - name: occurredAt + type: date + description: Timestamp of the alert (UTC) + - name: alertData + type: flattened + description: Additional alert data (differs based on alert type) diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/manifest.yml b/packages/cisco_meraki/1.2.3/data_stream/events/manifest.yml new file mode 100755 index 0000000000..bc4b29aa45 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/manifest.yml @@ -0,0 +1,76 @@ +title: Cisco Meraki webhook events +release: experimental +type: logs +streams: + - input: http_endpoint + title: Cisco Meraki webhook events + description: Receives events from Cisco Meraki webhook + template_path: http_endpoint.yml.hbs + enabled: false + vars: + - name: listen_address + type: text + title: Listen Address + description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + multi: false + required: true + show_user: true + default: 8686 + - name: url + type: text + title: Webhook path + description: URL path where the webhook will accept requests. + multi: false + required: true + show_user: false + default: /meraki/events + - name: secret_value + type: text + description: Authorization token + multi: false + required: false + show_user: true + - name: ssl + type: yaml + title: TLS + description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + multi: false + required: false + show_user: false + default: | + enabled: false + certificate: "/etc/pki/client/cert.pem" + key: "/etc/pki/client/cert.key" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - meraki-events + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco_meraki/1.2.3/data_stream/events/sample_event.json b/packages/cisco_meraki/1.2.3/data_stream/events/sample_event.json new file mode 100755 index 0000000000..83633463a4 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/events/sample_event.json @@ -0,0 +1,86 @@ +{ + "@timestamp": "2018-02-11T00:00:00.123Z", + "agent": { + "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "cisco_meraki": { + "event": { + "alertData": { + "connection": "LTE", + "local": "192.168.1.2", + "model": "UML290VW", + "provider": "Purview Wireless", + "remote": "1.2.3.5" + }, + "alertId": "0000000000000000", + "alertTypeId": "cellular_up", + "deviceTags": [ + "tag1", + "tag2" + ], + "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", + "networkId": "N_24329156", + "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", + "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", + "sentAt": "2021-10-07T08:42:00.926325Z", + "sharedSecret": "secret", + "version": "0.1" + } + }, + "data_stream": { + "dataset": "cisco_meraki.events", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "action": "Cellular came up", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "cisco_meraki.events", + "ingested": "2022-08-08T18:48:35Z", + "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", + "type": [ + "info", + "start" + ] + }, + "input": { + "type": "http_endpoint" + }, + "log": { + "level": "informational" + }, + "network": { + "name": "Main Office" + }, + "observer": { + "mac": "00-11-22-33-44-55", + "name": "My appliance", + "product": "MX", + "serial_number": "Q234-ABCD-5678", + "vendor": "Cisco" + }, + "organization": { + "id": "2930418", + "name": "My organization" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "meraki-events" + ] +} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/logfile.yml.hbs b/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..52b248876b --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/logfile.yml.hbs @@ -0,0 +1,27 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..993860734e --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,24 @@ +host: "{{listen_address}}:{{listen_port}}" +max_message_size: 1 MiB + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..993860734e --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,24 @@ +host: "{{listen_address}}:{{listen_port}}" +max_message_size: 1 MiB + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' + +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml new file mode 100755 index 0000000000..2a7b399e94 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/airmarshal.yml @@ -0,0 +1,63 @@ +--- +description: Pipeline for Cisco Meraki airmarshal_events type +processors: +- dissect: + description: Determine the airmarshal event type + field: event.original + pattern: "%{} airmarshal_events %{*type}=%{&type} %{}" +- rename: + field: type + target_field: cisco_meraki.event_subtype +- grok: + field: event.original + patterns: + - '%{GREEDYDATA} ssid=%{QS:_temp.ssid}%{SPACE}%{GREEDYDATA:_temp.kvline}' +- dissect: + field: _temp.ssid + pattern: "'%{_temp.kv.ssid}'" +- kv: + field: _temp.kvline + field_split: " " + value_split: "=" + target_field: _temp.kv + strip_brackets: true +- rename: + field: _temp.kv.ssid + target_field: network.name + if: ctx?._temp?.kv?.ssid != null +- rename: + field: _temp.kv.bssid + target_field: cisco_meraki.bssid +- rename: + field: _temp.kv.vap + target_field: cisco_meraki.vap + if: ctx?.cisco_meraki?.event_subtype == 'ssid_spoofing_detected' +- gsub: + field: _temp.kv.src + target_field: source.mac + pattern: '[-:.]' + replacement: '-' +- gsub: + field: _temp.kv.dst + target_field: destination.mac + pattern: '[-:.]' + replacement: '-' +- gsub: + field: _temp.kv.wired_mac + target_field: observer.mac + pattern: '[-:.]' + replacement: '-' + if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' +- rename: + field: _temp.kv.vlan_id + target_field: network.vlan.id + if: ctx?.cisco_meraki?.event_subtype == 'rogue_ssid_detected' +- rename: + field: _temp.kv.channel + target_field: cisco_meraki.channel +- rename: + field: _temp.kv.fc_type + target_field: cisco_meraki.fc_type +- rename: + field: _temp.kv.fc_subtype + target_field: cisco_meraki.fc_subtype diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..019665db1c --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,361 @@ +--- +description: Pipeline for Cisco Meraki syslog +processors: +- set: + field: ecs.version + value: '8.4.0' +- rename: + field: message + target_field: event.original +- dissect: + description: Extract syslog words + field: event.original + pattern: "%{} %{_temp.ts_nano} %{observer.hostname} %{cisco_meraki.event_type} %{}" +- date: + field: _temp.ts_nano + formats: + - UNIX + timezone: '{{{_conf.tz_offset}}}' +- pipeline: + name: '{{ IngestPipeline "flows" }}' + if: ctx.cisco_meraki.event_type == 'flows' +- pipeline: + name: '{{ IngestPipeline "ipflows" }}' + if: ctx.cisco_meraki.event_type == 'ip_flow_start' || ctx.cisco_meraki.event_type == 'ip_flow_end' +- pipeline: + name: '{{ IngestPipeline "airmarshal" }}' + if: ctx.cisco_meraki.event_type == 'airmarshal_events' +- pipeline: + name: '{{ IngestPipeline "security" }}' + if: ctx.cisco_meraki.event_type == 'security_event' +- pipeline: + name: '{{ IngestPipeline "idsalerts" }}' + if: ctx.cisco_meraki.event_type == 'ids-alerts' +- pipeline: + name: '{{ IngestPipeline "events" }}' + if: ctx.cisco_meraki.event_type == 'events' +- pipeline: + name: '{{ IngestPipeline "urls" }}' + if: ctx.cisco_meraki.event_type == 'urls' +- append: + field: event.category + value: ["network"] +- append: + field: event.type + value: ["info"] +- script: + lang: painless + description: The script sets event type, action and category based on type and sub-type fields + tag: set-event-type-for-meraki-events + params: + eventmap: + "vpn_connectivity_change": + category: + - session + type: + - connection + action: vpn-connectivity-change + "dhcp_offer": + type: + - access + - allowed + action: dhcp-offer + "dhcp_no_offer": + type: + - access + - denied + action: dhcp-no-offer + "Site-to-Site VPN": + type: + - access + action: site-to-site-vpn + "client_vpn_connect": + category: + - session + type: + - access + - allowed + - start + action: site-to-site-vpn + "ip_session_initiated": + type: + - access + - start + action: ip-session-initiated + "flow_allowed": + type: + - connection + - start + action: layer3-firewall-allowed-flow + "flow_denied": + type: + - access + - denied + action: layer3-firewall-denied-flow + "http_access": + category: + - web + type: + - access + action: http-access + "http_access_error": + category: + - web + type: + - error + action: http-access-error + "ids_alerted": + category: + - threat + type: + - indicator + action: ids-signature-matched + "security_filtering_file_scanned": + category: + - threat + - malware + type: + - indicator + - info + action: malicious-file-actioned + "security_filtering_disposition_change": + category: + - threat + - malware + type: + - indicator + - info + action: issued-retrospective-malicious-disposition + "association": + type: + - access + - connection + action: wifi-association-request + "disassociation": + category: + - session + type: + - access + - end + action: wifi-disassociation-request + "wpa_auth": + category: + - authentication + type: + - start + - access + action: wifi-wpa-authentication + "wpa_deauth": + category: + - authentication + type: + - end + - denied + action: wifi-wpa-failed-auth-or-deauth + "8021x_eap_failure": + category: + - authentication + type: + - end + - denied + action: wifi-8021x-failed-authentication-attempt + "8021x_deauth": + category: + - authentication + type: + - end + - denied + action: wifi-8021x-failed-auth-or-deauth + "8021x_eap_success": + category: + - authentication + type: + - start + action: wifi-8021x-auth + "splash_auth": + category: + - authentication + type: + - start + action: splash-authentication + "device_packet_flood": + category: + - threat + type: + - indicator + action: wireless-packet-flood-detected + "rogue_ssid_detected": + category: + - threat + type: + - indicator + action: rogue-ssid-detected + "ssid_spoofing_detected": + category: + - threat + type: + - indicator + action: ssid-spoofing-detected + "multiple_dhcp_servers_detected": + type: + - protocol + "dfs_event": + action: dynamic-frequency-selection-detected + "aps_association_reject": + action: association-rejected-for-load-balancing + if: ctx?.cisco_meraki?.event_subtype != null + source: |- + def eventMap = params.get('eventmap'); + def eventData = eventMap.get(ctx.cisco_meraki.event_subtype); + if (eventData == null) { + ctx.event.action = ctx.cisco_meraki.event_subtype; + return; + } + def eventCategory = eventData.get('category'); + def eventType = eventData.get('type'); + def eventAction = eventData.get('action'); + if (eventType != null) { + for (def t : eventType) { + ctx.event.type.add(t); + } + } + if (eventCategory != null) { + for (def c : eventCategory) { + ctx.event.category.add(c); + } + } + if (eventAction != null) { + ctx.event.action = eventAction; + } + +# IP Geolocation Lookup (source) +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: ctx.source?.geo == null && ctx?.source?.ip != null +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: ctx?.source?.ip != null +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +# IP Geolocation Lookup (destination) +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: ctx.destination?.geo == null && ctx?.destination?.ip != null +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: ctx?.destination?.ip != null +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +# IP Geolocation Lookup (client) +- geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + if: ctx.client?.geo == null && ctx?.client?.ip != null +# IP Autonomous System (AS) Lookup +- geoip: + database_file: GeoLite2-ASN.mmdb + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + if: ctx?.client?.ip != null +- rename: + field: client.as.asn + target_field: client.as.number + ignore_missing: true +- rename: + field: client.as.organization_name + target_field: client.as.organization.name + ignore_missing: true +## +# Clean up +## +- remove: + field: + - _temp + - _conf + - sport + - dport + - mac + - src + - dst + - translated_src_ip + - translated_dst_ip + - translated_port + - wired_mac + - rssi + - protocol + - dhost + - client_mac + - radio + - sts + - msgtype + - timestamp + ignore_missing: true +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/events.yml new file mode 100755 index 0000000000..42ee924ac9 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/events.yml @@ -0,0 +1,206 @@ +--- +description: Pipeline for Cisco Meraki events type +processors: +#################################################### +# set event_subtype based on type/format +#################################################### +- dissect: + description: Determine event type/format + field: event.original + pattern: "%{} events %{msgtype} %{}" +- set: + field: cisco_meraki.event_subtype + value: 'Site-to-Site VPN' + if: ctx?.msgtype.toLowerCase() == "site-to-site" +- set: + field: cisco_meraki.event_subtype + value: client_vpn_connect + if: ctx?.msgtype.toLowerCase() == "client_vpn_connect" +#################################################### +# log event with type= format +# these are dfs_event, association, disassocation, +# vpn_connectivity_change, wpa_auth, wpa_deauth +#################################################### +- dissect: + description: Get the event subtype + field: event.original + pattern: "%{} events type=%{type} %{}" + if: ctx?.msgtype.startsWith("type=") +- rename: + field: type + target_field: cisco_meraki.event_subtype + if: ctx?.type != null + +#################################################### +# Handle DHCP log events +#################################################### +- dissect: + field: event.original + pattern: "%{} events dhcp %{_temp.dhcp_op} %{_temp.dhcp_op2} %{}" + if: ctx?.msgtype.toLowerCase() == "dhcp" +- set: + field: network.protocol + value: dhcp + if: ctx?.msgtype.toLowerCase() == "dhcp" +- dissect: + field: event.original + pattern: "%{} events dhcp lease of ip %{_temp.client_ip} from %{} mac %{server.mac} for client mac %{client.mac} %{}" + if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'lease' +- dissect: + field: event.original + pattern: "%{} events dhcp no offers for mac %{client.mac} %{}" + if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' +- set: + field: cisco_meraki.event_subtype + value: dhcp_offer + if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op == 'lease' +- set: + field: cisco_meraki.event_subtype + value: dhcp_no_offer + if: ctx?.msgtype.toLowerCase() == "dhcp" && ctx?._temp?.dhcp_op.toLowerCase() == 'no' && ctx?._temp?.dhcp_op2.toLowerCase() == 'offers' +#################################################### +# Handle Site-to-Site VPN message +#################################################### +- grok: + description: Process Site-to-Site VPN messages + field: event.original + patterns: + - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}(?i)Site-to-Site VPN:%{GREEDYDATA:cisco_meraki.site_to_site_vpn.raw}' + pattern_definitions: + SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOGVER: '\b(?:\d{1,2})\b' + SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' + WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' + if: ctx.event.original.startsWith('<') && ctx?.cisco_meraki?.event_subtype == "Site-to-Site VPN" + +#################################################### +# Handle dfs_event, wpa_auth, wpa_deauth, +# association or disassociation +#################################################### +- grok: + field: event.original + patterns: + - '%{SYSLOGHDR}%{SPACE}%{NUMBER}%{SPACE}%{WORDORHOST}%{SPACE}events%{SPACE}%{GREEDYDATA:_temp.rest}' + pattern_definitions: + SYSLOGPRI: '<%{NONNEGINT:log.syslog.priority:long}>' + SYSLOGVER: '\b(?:\d{1,2})\b' + SYSLOGHDR: '%{SYSLOGPRI}%{SYSLOGVER}' + WORDORHOST: '(?:%{WORD}|%{HOSTNAME})' + if: ctx.event.original.startsWith('<') && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', 'vpn_connectivity_change', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) +- kv: + field: _temp.rest + field_split: "[ \t]{1,}" + value_split: "=" + target_field: cisco_meraki.{{{cisco_meraki.event_subtype}}} + strip_brackets: true + if: ctx?._temp?.rest != null && ['dfs_event', 'association', 'disassociation', 'aps_association_reject', 'multiple_dhcp_servers_detected', 'wpa_deauth', 'wpa_auth', '8021x_eap_failure', '8021x_auth', '8021x_deauth', '8021x_eap_success', 'splash_auth', 'device_packet_flood'].contains(ctx.cisco_meraki.event_subtype) +# special case for site-to-site vpn +- kv: + field: _temp.rest + field_split: "[ \t]{1,}" + value_split: "=" + target_field: cisco_meraki.site_to_site_vpn.connectivity_change + strip_brackets: true + if: ctx?._temp?.rest != null && ctx?.cisco_meraki?.event_subtype == 'vpn_connectivity_change' + +#################################################### +# Move values from event subtypes to ECS fields +# multiple_dhcp_servers_detected +#################################################### +- set: + field: network.protocol + value: dhcp + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' +- rename: + field: cisco_meraki.multiple_dhcp_servers_detected.original_server_mac + target_field: server.mac + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' +# process original_server_ip +- grok: + field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip + patterns: + - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" + - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.original_server_ip}$" + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' + ignore_failure: true +- convert: + type: ip + field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip + target_field: server.ip + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' + ignore_failure: true +# cleanup only if the conversion was successful +- remove: + field: cisco_meraki.multiple_dhcp_servers_detected.original_server_ip + if: ctx?.server?.ip != null +- append: + field: related.ip + value: "{{{server.ip}}}" + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' +# process server_ip (the other dhcp server ip) +- grok: + field: cisco_meraki.multiple_dhcp_servers_detected.server_ip + patterns: + - "^%{IPV4:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" + - "^%{IPV6:cisco_meraki.multiple_dhcp_servers_detected.server_ip}$" + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' +- convert: + type: ip + field: cisco_meraki.multiple_dhcp_servers_detected.server_ip + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' +- append: + field: related.ip + value: "{{{cisco_meraki.multiple_dhcp_servers_detected.server_ip}}}" + if: ctx?.cisco_meraki?.event_subtype == 'multiple_dhcp_servers_detected' +#################################################### +# wpa_deauth +#################################################### +- rename: + field: cisco_meraki.wpa_deauth.client_mac + target_field: client.mac + if: ctx?.cisco_meraki?.event_subtype == 'wpa_deauth' + +#################################################### +# Handle client_vpn_connect +#################################################### +- dissect: + field: event.original + pattern: "%{} events client_vpn_connect user id '%{user.name}' local ip %{network.forwarded_ip} connected from %{_temp.client_ip}" + if: ctx?.cisco_meraki?.event_subtype == "client_vpn_connect" + +#################################################### +# parse dissected IP values and convert to IP type +# common case for DHCP lease and client_vpn_connect +#################################################### +- grok: + field: _temp.client_ip + patterns: + - "^%{IPV4:_temp.client_ip}$" + - "^%{IPV6:_temp.client_ip}$" + if: ctx?._temp?.client_ip != null + ignore_failure: true +- convert: + type: ip + field: _temp.client_ip + target_field: client.ip + if: ctx?._temp?.client_ip != null + ignore_failure: true + +# Make MAC addresses conform to ECS spec. +- gsub: + field: client.mac + pattern: '[:.]' + replacement: '-' + ignore_missing: true +- uppercase: + field: client.mac + ignore_missing: true +- gsub: + field: server.mac + pattern: '[:.]' + replacement: '-' + ignore_missing: true +- uppercase: + field: server.mac + ignore_missing: true + diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/flows.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/flows.yml new file mode 100755 index 0000000000..bca031ae23 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/flows.yml @@ -0,0 +1,24 @@ +--- +description: Pipeline for Cisco Meraki flows message type +processors: +- grok: + field: event.original + patterns: + - "flows( %{NOTSPACE:cisco_meraki.flows.op})? src=%{IP:source.ip:ip} dst=%{IP:destination.ip:ip}( mac=%{MAC:source.mac})? protocol=%{NOTSPACE:network.protocol}( sport=%{NONNEGINT:source.port:long})?( dport=%{NONNEGINT:destination.port:long})?" +- gsub: + field: source.mac + pattern: '[:.]' + replacement: '-' + ignore_missing: true +- set: + field: cisco_meraki.event_subtype + value: "ip_session_initiated" + if: ctx.cisco_meraki?.flows?.op == null +- set: + field: cisco_meraki.event_subtype + value: "flow_allowed" + if: ctx.cisco_meraki?.flows?.op == 'allow' +- set: + field: cisco_meraki.event_subtype + value: "flow_denied" + if: ctx.cisco_meraki?.flows?.op == 'deny' diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml new file mode 100755 index 0000000000..a1684a5e30 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml @@ -0,0 +1,48 @@ +--- +description: Pipeline for Cisco Meraki ids-alerts type +processors: +- dissect: + description: Determine the ids-alerts security event type + field: event.original + pattern: "%{} ids-alerts %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src}" +- set: + field: cisco_meraki.event_subtype + value: ids_alerted +- rename: + field: priority + target_field: cisco_meraki.security.priority +- rename: + field: signature + target_field: cisco_meraki.security.signature +- date: + field: timestamp + target_field: threat.indicator.last_seen + formats: ['UNIX'] +- rename: + field: direction + target_field: network.direction +- lowercase: + field: protocol + target_field: network.protocol +- grok: + field: src + patterns: + - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" + - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" + - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" + - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + if: ctx?.src != null +- convert: + type: ip + field: _temp.src_ip + target_field: source.ip + ignore_failure: true +- convert: + field: sport + target_field: source.port + type: long + ignore_failure: true diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml new file mode 100755 index 0000000000..eb6667d991 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/ipflows.yml @@ -0,0 +1,62 @@ +--- +description: Pipeline for Cisco Meraki ip_flow_start and ip_flow_end message type +processors: +- dissect: + description: Determine if the token is src= or operation + field: event.original + pattern: "%{} %{} %{} %{_temp.event_type} %{_temp.token} %{}" +- dissect: + description: Case for src= follows ip_flow_start + field: event.original + pattern: "%{} ip_flow_start %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi}=%{&tsi} %{*tp}=%{&tp}" + if: ctx._temp.event_type == 'ip_flow_start' && ctx._temp.token.startsWith("src=") == true +- dissect: + description: Case for src= follows ip_flow_end + field: event.original + pattern: "%{} ip_flow_end %{*src}=%{&src} %{*dst}=%{&dst} %{*prot}=%{&prot} %{*sport}=%{&sport} %{*dport}=%{&dport} %{*tsi_or_tdi}=%{&tsi_or_tdi} %{*tp}=%{&tp}" + if: ctx._temp.event_type == 'ip_flow_end' && ctx._temp.token.startsWith("src=") == true +# source field IP:port handling +- convert: + type: ip + field: translated_src_ip + target_field: source.ip + if: ctx?.translated_src_ip != null +- convert: + type: ip + field: src + target_field: source.ip + if: ctx?.translated_src_ip == null && ctx?.src != null +- convert: + field: translated_port + target_field: source.port + type: long + if: ctx?.translated_src_ip != null && ctx?.translated_port != null +- convert: + field: sport + target_field: source.port + type: long + if: ctx?.translated_src_ip == null && ctx?.sport != null +# destination field IP:port handling +- convert: + type: ip + field: translated_dst_ip + target_field: destination.ip + if: ctx?.translated_dst_ip != null +- convert: + type: ip + field: dst + target_field: destination.ip + if: ctx?.translated_dst_ip == null && ctx?.dst != null +- convert: + field: translated_port + target_field: destination.port + type: long + if: ctx?.translated_dst_ip != null && ctx?.translated_port != null +- convert: + field: dport + target_field: destination.port + type: long + if: ctx?.translated_dst_ip == null && ctx?.dport != null +- rename: + field: protocol + target_field: network.protocol diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/security.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/security.yml new file mode 100755 index 0000000000..6ddd6e2f37 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/security.yml @@ -0,0 +1,151 @@ +--- +description: Pipeline for Cisco Meraki security_event type +processors: +- dissect: + description: Determine the security event type + field: event.original + pattern: "%{} security_event %{type} %{}" +- rename: + field: type + target_field: cisco_meraki.event_subtype + +# scan event based on event type +- dissect: + field: event.original + pattern: "%{} ids_alerted %{*sig}=%{&sig} %{*pri}=%{&pri} %{*ts}=%{&ts} %{*dhost}=%{&dhost} %{*dir}=%{&dir} %{*prot}=%{&prot} %{*src}=%{&src} %{*dst}=%{&dst} %{}" + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- dissect: + field: event.original + pattern: "%{} security_filtering_file_scanned %{*url}=%{&url} %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} %{*name}='%{&name}' %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' +- dissect: + field: event.original + pattern: "%{} security_filtering_disposition_change %{*name}=%{&name} %{*sha256}=%{&sha256} %{*disp}=%{&disp} %{*action}=%{&action}" + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' + +# handle fields of ids_alerted type +- rename: + field: priority + target_field: cisco_meraki.security.priority + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- rename: + field: signature + target_field: cisco_meraki.security.signature + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- date: + field: timestamp + target_field: threat.indicator.last_seen + formats: ['UNIX'] + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- gsub: + field: dhost + target_field: cisco_meraki.security.dhost + pattern: '[-:.]' + replacement: '-' + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- rename: + field: direction + target_field: network.direction + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- lowercase: + field: protocol + target_field: network.protocol + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +# Process the remaining after dst=. It can have "decision= message: *" or just "message: *" +- dissect: + field: event.original + pattern: "%{} dst=%{?ignore} %{*decision}=%{&decision} %{*message}:%{&message}" + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' + ignore_failure: true +- dissect: + field: event.original + pattern: "%{} dst=%{?ignore} %{*message}:%{&message}" + if: ctx?.decision == null && ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- rename: + field: message + target_field: threat.indicator.description + ignore_missing: true + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' +- rename: + field: decision + target_field: cisco_meraki.security.decision + ignore_missing: true + if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' + +# handle fields of security_filtering_file_scanned or security_filtering_disposition_change type +- rename: + field: url + target_field: threat.indicator.reference + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' +- gsub: + field: mac + target_field: cisco_meraki.security.mac + pattern: '[-:.]' + replacement: '-' + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' +- rename: + field: name + target_field: threat.indicator.file.name + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' +- rename: + field: sha256 + target_field: threat.indicator.file.hash.sha256 + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' +- rename: + field: disposition + target_field: cisco_meraki.disposition + ignore_missing: true +- rename: + field: action + target_field: cisco_meraki.security.action + if: ctx?.cisco_meraki?.event_subtype == 'security_filtering_file_scanned' || ctx?.cisco_meraki?.event_subtype == 'security_filtering_disposition_change' +# fields common to more than one event type +# src processing +- grok: + field: src + patterns: + - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" + - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" + - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" + - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.src != null +- convert: + type: ip + field: _temp.src_ip + target_field: source.ip + if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' +- convert: + field: sport + target_field: source.port + type: long + if: ctx?.sport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' + ignore_failure: true +# dst processing +- grok: + field: dst + patterns: + - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" + - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" + - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" + - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' + if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' && ctx?.dst != null +- convert: + type: ip + field: _temp.dst_ip + target_field: destination.ip + ignore_failure: true + if: ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' +- convert: + field: dport + target_field: destination.port + type: long + if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' + ignore_failure: true diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/urls.yml b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/urls.yml new file mode 100755 index 0000000000..68bcddb288 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/elasticsearch/ingest_pipeline/urls.yml @@ -0,0 +1,64 @@ +--- +description: Pipeline for Cisco Meraki urls type +processors: +- dissect: + description: Determine the security event type + field: event.original + pattern: "%{} urls %{*src}=%{&src} %{*dst}=%{&dst} %{*mac}=%{&mac} request: %{http.request.method} %{url.original}" +# src processing +- grok: + field: src + patterns: + - "^%{IPV4:_temp.src_ip}:%{PORT:sport}$" + - "^\\[%{IPV6:_temp.src_ip}\\]:%{PORT:sport}$" + - "^%{IPV6NOCOMPRESS:_temp.src_ip}:%{PORT:sport}$" + - "^%{IPV6:_temp.src_ip}%{IPV6PORTSEP}%{PORT:sport}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' +- convert: + type: ip + field: _temp.src_ip + target_field: source.ip +- convert: + type: long + field: sport + target_field: source.port + ignore_failure: true +# dst processing +- grok: + field: dst + patterns: + - "^%{IPV4:_temp.dst_ip}:%{PORT:dport}$" + - "^\\[%{IPV6:_temp.dst_ip}\\]:%{PORT:dport}$" + - "^%{IPV6NOCOMPRESS:_temp.dst_ip}:%{PORT:dport}$" + - "^%{IPV6:_temp.dst_ip}%{IPV6PORTSEP}%{PORT:dport}$" + pattern_definitions: + IPV6NOCOMPRESS: '([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}' + IPV6PORTSEP: '(?: port |[p#.])' + PORT: '[0-9]+' +- convert: + type: ip + field: _temp.dst_ip + target_field: destination.ip + ignore_failure: true +- convert: + type: long + field: dport + target_field: destination.port + if: ctx?.dport != "0" && ctx?.cisco_meraki?.event_subtype != 'security_filtering_disposition_change' + ignore_failure: true +- gsub: + field: mac + target_field: cisco_meraki.urls.mac + pattern: '[-:.]' + replacement: '-' +- set: + field: cisco_meraki.event_subtype + value: 'http_access' + if: ctx?.http?.request?.method.toLowerCase() != 'unknown' +- set: + field: cisco_meraki.event_subtype + value: 'http_access_error' + if: ctx?.http?.request?.method.toLowerCase() == 'unknown' diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/fields/agent.yml b/packages/cisco_meraki/1.2.3/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..4c4f4b2d93 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/fields/agent.yml @@ -0,0 +1,179 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. +- name: log.offset + type: long + description: Offset of the entry in the log file. diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/1.2.3/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..79eddd5d6c --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_meraki +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_meraki.log +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/1.2.3/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..03daa6383a --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/fields/ecs.yml @@ -0,0 +1,662 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: server.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: VLAN ID as reported by the observer. + name: network.vlan.id + type: keyword +- description: The date and time when intelligence source last reported sighting this indicator. + name: threat.indicator.last_seen + type: date +- description: Describes the type of action conducted by the threat. + name: threat.indicator.description + type: keyword +- description: Reference URL linking to additional information about this indicator. + name: threat.indicator.reference + type: keyword +- description: Name of the file including the extension, without the directory. + name: threat.indicator.file.name + type: keyword +- description: SHA256 hash. + name: threat.indicator.file.hash.sha256 + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/fields/fields.yml b/packages/cisco_meraki/1.2.3/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..10a68230e9 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/fields/fields.yml @@ -0,0 +1,74 @@ +- name: cisco_meraki + type: group + fields: + - name: disposition + type: keyword + - name: event_type + type: keyword + - name: event_subtype + type: keyword + - name: bssid + type: keyword + - name: vap + type: keyword + - name: channel + type: keyword + - name: fc_type + type: keyword + - name: fc_subtype + type: keyword + - name: flows + type: flattened + - name: dfs_event + type: flattened + - name: wpa_auth + type: flattened + - name: wpa_deauth + type: flattened + - name: association + type: flattened + - name: disassociation + type: flattened + - name: 8021x_eap_failure + type: flattened + - name: 8021x_deauth + type: flattened + - name: 8021x_auth + type: flattened + - name: 8021x_eap_success + type: flattened + - name: splash_auth + type: flattened + - name: device_packet_flood + type: flattened + - name: multiple_dhcp_servers_detected + type: flattened + - name: aps_association_reject + type: flattened + - name: urls + type: group + fields: + - name: mac + type: keyword + - name: security + type: group + fields: + - name: priority + type: keyword + - name: signature + type: keyword + - name: dhost + type: keyword + - name: decision + type: keyword + - name: mac + type: keyword + - name: action + type: keyword + - name: site_to_site_vpn + type: group + fields: + - name: raw + type: text + - name: connectivity_change + type: flattened diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/manifest.yml b/packages/cisco_meraki/1.2.3/data_stream/log/manifest.yml new file mode 100755 index 0000000000..bf78f78a80 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/manifest.yml @@ -0,0 +1,175 @@ +title: Cisco Meraki logs (via Syslog) +release: experimental +type: logs +streams: + - input: udp + template_path: udp.yml.hbs + title: Cisco Meraki logs + description: Collect Cisco Meraki logs (via Syslog) + enabled: true + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 8685 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-meraki + - forwarded + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + template_path: tcp.yml.hbs + title: Cisco Meraki logs + description: Collect Cisco Meraki logs (via Syslog) + enabled: false + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 8685 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: ssl + type: yaml + title: TLS + description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + multi: false + required: false + show_user: false + default: | + enabled: false + certificate: "/etc/pki/client/cert.pem" + key: "/etc/pki/client/cert.key" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-meraki + - forwarded + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + template_path: logfile.yml.hbs + title: Cisco Meraki logs + description: Collect Cisco Meraki logs (via Syslog) + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: false + show_user: true + default: + - /var/log/cisco-meraki.log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - cisco-meraki + - forwarded + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco_meraki/1.2.3/data_stream/log/sample_event.json b/packages/cisco_meraki/1.2.3/data_stream/log/sample_event.json new file mode 100755 index 0000000000..930a22a9e8 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/data_stream/log/sample_event.json @@ -0,0 +1,94 @@ +{ + "@timestamp": "2021-11-23T18:13:18.348Z", + "agent": { + "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "cisco_meraki": { + "event_subtype": "ids_alerted", + "event_type": "security_event", + "security": { + "decision": "allowed", + "dhost": "D0-AB-D5-7B-43-73", + "priority": "1", + "signature": "1:29708:4" + } + }, + "data_stream": { + "dataset": "cisco_meraki.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "10.0.3.162", + "port": 56391 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "action": "ids-signature-matched", + "agent_id_status": "verified", + "category": [ + "network", + "threat" + ], + "dataset": "cisco_meraki.log", + "ingested": "2022-08-08T18:50:52Z", + "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", + "type": [ + "info", + "indicator" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.5:44064" + } + }, + "network": { + "direction": "ingress", + "protocol": "tcp/ip" + }, + "observer": { + "hostname": "MX84" + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "port": 80 + }, + "tags": [ + "preserve_original_event", + "cisco-meraki", + "forwarded" + ], + "threat": { + "indicator": { + "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", + "last_seen": "2021-11-23T18:13:18.330Z" + } + } +} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.3/docs/README.md b/packages/cisco_meraki/1.2.3/docs/README.md new file mode 100755 index 0000000000..0cc7e5d7cf --- /dev/null +++ b/packages/cisco_meraki/1.2.3/docs/README.md @@ -0,0 +1,697 @@ +# Cisco Meraki Integration + +Cisco Meraki offers a centralized cloud management platform for all Meraki devices such as MX Security Appliances, MR Access Points and so on. Its out-of-band cloud architecture creates secure, scalable and easy-to-deploy networks that can be managed from anywhere. This can be done from almost any device using web-based Meraki Dashboard and Meraki Mobile App. Each Meraki network generates its own events. + +Cisco Meraki offers [several methods for device reporting](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API). This integration supports gathering events via the Cisco Meraki syslog and via API reporting webhooks. The integration package allows you to search, observe, and visualize the events through Elasticsearch. + +## Compatibility + +A syslog server can be configured to store messages for reporting purposes from MX Security Appliances, MR Access Points, and MS switches. This package collects events from the configured syslog server. The integration supports collection of events from "MX Security Appliances" and "MR Access Points". The "MS Switch" events are not recognized. + +## Configuration + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations** +2. In "Search for integrations" search bar type **Meraki** +3. Click on "Cisco Meraki" integration from the search results. +4. Click on **Add Cisco Meraki Integration** button to add the integration. + +### Cisco Meraki Dashboard Configuration + +#### Syslog + +Cisco Meraki dashboard can be used to configure one or more syslog servers and Meraki message types to be sent to the syslog servers. Refer to [Syslog Server Overview and Configuration](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Configuring_a_Syslog_Server) page for more information on how to configure syslog server on Cisco Meraki. + +#### API Endpoint (Webhooks) + +Cisco Meraki dashboard can be used to configure Meraki webhooks. Refer to the [Webhooks Dashboard Setup](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API#Webhooks_Dashboard_Setup) section. + +### Configure the Cisco Meraki integration + +#### Syslog + +Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Cisco Meraki via UDP", "Collect syslog from Cisco Meraki via TCP", "Collect syslog from Cisco Meraki via file". + +Enter the values for syslog host and port OR file path based on the chosen configuration options. + +### API Endpoint (Webhooks) + +Check the option "Collect events from Cisco Meraki via Webhooks" option. + +1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8686/meraki/events`. +2. Enter value for "Secret value". This must match the "Shared Secret" value entered when configuring the webhook from Meraki cloud. +3. Enter values for "TLS". Cisco Meraki requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. + +### Log Events + +Enable to collect Cisco Meraki log events for all the applications configured for the chosen log stream. + +## Logs + +### Syslog + +The `cisco_meraki.log` dataset provides events from the configured syslog server. All Cisco Meraki syslog specific fields are available in the `cisco_meraki.log` field group. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco_meraki.8021x_auth | | flattened | +| cisco_meraki.8021x_deauth | | flattened | +| cisco_meraki.8021x_eap_failure | | flattened | +| cisco_meraki.8021x_eap_success | | flattened | +| cisco_meraki.aps_association_reject | | flattened | +| cisco_meraki.association | | flattened | +| cisco_meraki.bssid | | keyword | +| cisco_meraki.channel | | keyword | +| cisco_meraki.device_packet_flood | | flattened | +| cisco_meraki.dfs_event | | flattened | +| cisco_meraki.disassociation | | flattened | +| cisco_meraki.disposition | | keyword | +| cisco_meraki.event_subtype | | keyword | +| cisco_meraki.event_type | | keyword | +| cisco_meraki.fc_subtype | | keyword | +| cisco_meraki.fc_type | | keyword | +| cisco_meraki.flows | | flattened | +| cisco_meraki.multiple_dhcp_servers_detected | | flattened | +| cisco_meraki.security.action | | keyword | +| cisco_meraki.security.decision | | keyword | +| cisco_meraki.security.dhost | | keyword | +| cisco_meraki.security.mac | | keyword | +| cisco_meraki.security.priority | | keyword | +| cisco_meraki.security.signature | | keyword | +| cisco_meraki.site_to_site_vpn.connectivity_change | | flattened | +| cisco_meraki.site_to_site_vpn.raw | | text | +| cisco_meraki.splash_auth | | flattened | +| cisco_meraki.urls.mac | | keyword | +| cisco_meraki.vap | | keyword | +| cisco_meraki.wpa_auth | | flattened | +| cisco_meraki.wpa_deauth | | flattened | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Input type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2021-11-23T18:13:18.348Z", + "agent": { + "ephemeral_id": "d0614353-dd50-4b65-b142-df54b2a69013", + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "cisco_meraki": { + "event_subtype": "ids_alerted", + "event_type": "security_event", + "security": { + "decision": "allowed", + "dhost": "D0-AB-D5-7B-43-73", + "priority": "1", + "signature": "1:29708:4" + } + }, + "data_stream": { + "dataset": "cisco_meraki.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": "10.0.3.162", + "port": 56391 + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "action": "ids-signature-matched", + "agent_id_status": "verified", + "category": [ + "network", + "threat" + ], + "dataset": "cisco_meraki.log", + "ingested": "2022-08-08T18:50:52Z", + "original": "\u003c134\u003e1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", + "type": [ + "info", + "indicator" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.5:44064" + } + }, + "network": { + "direction": "ingress", + "protocol": "tcp/ip" + }, + "observer": { + "hostname": "MX84" + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.12", + "port": 80 + }, + "tags": [ + "preserve_original_event", + "cisco-meraki", + "forwarded" + ], + "threat": { + "indicator": { + "description": " BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", + "last_seen": "2021-11-23T18:13:18.330Z" + } + } +} +``` + +### API Endpoint (Webhooks) + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | +| cisco_meraki.event.alertId | ID for this alert message | keyword | +| cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | +| cisco_meraki.event.alertType | Type of alert (“Network usage alert”, “Settings changed”, etc.) | keyword | +| cisco_meraki.event.alertTypeId | Unique ID for the type of alert | keyword | +| cisco_meraki.event.deviceMac | MAC address of the Meraki device | keyword | +| cisco_meraki.event.deviceModel | Meraki device model | keyword | +| cisco_meraki.event.deviceName | Name assigned to the Meraki device | keyword | +| cisco_meraki.event.deviceSerial | Serial number of the Meraki device | keyword | +| cisco_meraki.event.deviceTags | Tags assigned to the Meraki device | keyword | +| cisco_meraki.event.deviceUrl | URL of the Meraki device | keyword | +| cisco_meraki.event.networkId | ID for the Meraki network | keyword | +| cisco_meraki.event.networkName | Name for the Meraki network | keyword | +| cisco_meraki.event.networkTags | Tags assigned to the Meraki network | keyword | +| cisco_meraki.event.networkUrl | URL of the Meraki Dashboard network | keyword | +| cisco_meraki.event.occurredAt | Timestamp of the alert (UTC) | date | +| cisco_meraki.event.organizationId | ID of the Meraki organization | keyword | +| cisco_meraki.event.organizationName | Name of the Meraki organization | keyword | +| cisco_meraki.event.organizationUrl | URL of the Meraki Dashboard organization | keyword | +| cisco_meraki.event.sentAt | Timestamp of the sent message (UTC) | date | +| cisco_meraki.event.sharedSecret | User defined secret to be validated by the webhook receiver (optional) | keyword | +| cisco_meraki.event.version | Current version of webhook format | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location.lat | Longitude and latitude. | geo_point | +| client.geo.location.lon | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Input type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.software.type | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | + + +An example event for `events` looks as following: + +```json +{ + "@timestamp": "2018-02-11T00:00:00.123Z", + "agent": { + "ephemeral_id": "4e898a47-a469-4602-9ba2-0a46f55a3998", + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.3.2" + }, + "cisco_meraki": { + "event": { + "alertData": { + "connection": "LTE", + "local": "192.168.1.2", + "model": "UML290VW", + "provider": "Purview Wireless", + "remote": "1.2.3.5" + }, + "alertId": "0000000000000000", + "alertTypeId": "cellular_up", + "deviceTags": [ + "tag1", + "tag2" + ], + "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", + "networkId": "N_24329156", + "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", + "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", + "sentAt": "2021-10-07T08:42:00.926325Z", + "sharedSecret": "secret", + "version": "0.1" + } + }, + "data_stream": { + "dataset": "cisco_meraki.events", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "e999e428-e6a9-4c63-bd05-0eda93c920b3", + "snapshot": false, + "version": "8.3.2" + }, + "event": { + "action": "Cellular came up", + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "cisco_meraki.events", + "ingested": "2022-08-08T18:48:35Z", + "original": "{\"alertData\":{\"connection\":\"LTE\",\"local\":\"192.168.1.2\",\"model\":\"UML290VW\",\"provider\":\"Purview Wireless\",\"remote\":\"1.2.3.5\"},\"alertId\":\"0000000000000000\",\"alertLevel\":\"informational\",\"alertType\":\"Cellular came up\",\"alertTypeId\":\"cellular_up\",\"deviceMac\":\"00:11:22:33:44:55\",\"deviceModel\":\"MX\",\"deviceName\":\"My appliance\",\"deviceSerial\":\"Q234-ABCD-5678\",\"deviceTags\":[\"tag1\",\"tag2\"],\"deviceUrl\":\"https://n1.meraki.com//n//manage/nodes/new_list/000000000000\",\"networkId\":\"N_24329156\",\"networkName\":\"Main Office\",\"networkTags\":[],\"networkUrl\":\"https://n1.meraki.com//n//manage/nodes/list\",\"occurredAt\":\"2018-02-11T00:00:00.123450Z\",\"organizationId\":\"2930418\",\"organizationName\":\"My organization\",\"organizationUrl\":\"https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview\",\"sentAt\":\"2021-10-07T08:42:00.926325Z\",\"sharedSecret\":\"secret\",\"version\":\"0.1\"}", + "type": [ + "info", + "start" + ] + }, + "input": { + "type": "http_endpoint" + }, + "log": { + "level": "informational" + }, + "network": { + "name": "Main Office" + }, + "observer": { + "mac": "00-11-22-33-44-55", + "name": "My appliance", + "product": "MX", + "serial_number": "Q234-ABCD-5678", + "vendor": "Cisco" + }, + "organization": { + "id": "2930418", + "name": "My organization" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "meraki-events" + ] +} +``` diff --git a/packages/cisco_meraki/1.2.3/img/cisco-logo.svg b/packages/cisco_meraki/1.2.3/img/cisco-logo.svg new file mode 100755 index 0000000000..a174ad4488 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/img/cisco-logo.svg @@ -0,0 +1 @@ + diff --git a/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-1.png b/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-1.png new file mode 100755 index 0000000000..7f6816cf73 Binary files /dev/null and b/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-1.png differ diff --git a/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-2.png b/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-2.png new file mode 100755 index 0000000000..810b80d4ad Binary files /dev/null and b/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-2.png differ diff --git a/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-3.png b/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-3.png new file mode 100755 index 0000000000..1cfa3ccb7d Binary files /dev/null and b/packages/cisco_meraki/1.2.3/img/cisco-meraki-dashboard-3.png differ diff --git a/packages/cisco_meraki/1.2.3/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json b/packages/cisco_meraki/1.2.3/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json new file mode 100755 index 0000000000..11cb03d88a --- /dev/null +++ b/packages/cisco_meraki/1.2.3/kibana/dashboard/cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\":{\"columnOrder\":[\"c379da24-eba4-47a5-b9aa-213324504619\"],\"columns\":{\"c379da24-eba4-47a5-b9aa-213324504619\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of source.mac\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"source.mac\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"c379da24-eba4-47a5-b9aa-213324504619\",\"layerId\":\"9f3c668f-fec6-4125-ae7b-fcb073df79c1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"w\":9,\"x\":0,\"y\":0},\"panelIndex\":\"372a6801-2e52-4c4c-a674-746eec7f7e09\",\"title\":\"Count of source MAC address\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"511effff-5682-4cfa-a2de-739bbefa93ea\":{\"columnOrder\":[\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"0929169c-0ee9-4eb6-93b6-effcb648c779\",\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"columns\":{\"0929169c-0ee9-4eb6-93b6-effcb648c779\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c66ed022-eab0-4834-8a01-f508aa4b32b3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"},\"c66ed022-eab0-4834-8a01-f508aa4b32b3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"c66ed022-eab0-4834-8a01-f508aa4b32b3\"],\"layerId\":\"511effff-5682-4cfa-a2de-739bbefa93ea\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"b6287f3a-b96b-4973-b2d2-1e4f7830f9e5\",\"xAccessor\":\"0929169c-0ee9-4eb6-93b6-effcb648c779\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"w\":13,\"x\":9,\"y\":0},\"panelIndex\":\"03bf41fe-673d-4f95-9d6e-510d8dc46ba6\",\"title\":\"Rate of events by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"abda3ec0-db97-4e02-a42e-45e716110de2\":{\"columnOrder\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\",\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\"],\"columns\":{\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c59ef8c2-80ea-4386-834f-378f4a76b87c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c59ef8c2-80ea-4386-834f-378f4a76b87c\"],\"layerId\":\"abda3ec0-db97-4e02-a42e-45e716110de2\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"c1fce02c-25a5-4a5c-a3a3-9412786a5520\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"w\":13,\"x\":22,\"y\":0},\"panelIndex\":\"475cb47c-34d7-4c56-b57d-e27d25678fc8\",\"title\":\"Event distribution by type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\":{\"columnOrder\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\",\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\"],\"columns\":{\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of cisco_meraki.event_type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"cisco_meraki.event_type\"},\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cisco_meraki.event_subtype\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"cisco_meraki.event_subtype\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d1a56033-ffe5-44ed-a05f-ab79d5db90aa\"],\"layerId\":\"d8f74b4f-a83b-47bc-b862-2bc47ee790eb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6d64dae-3a8d-49c1-8e4d-b08758c35a09\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"58bbda58-7c31-44e1-8568-d37c2c585e53\",\"title\":\"Event distribution by sub-type\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\":{\"columnOrder\":[\"66ede758-6532-443e-834d-a847c964682f\"],\"columns\":{\"66ede758-6532-443e-834d-a847c964682f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of rogue SSIDs detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"rogue_ssid_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"rogue_ssid_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"66ede758-6532-443e-834d-a847c964682f\",\"layerId\":\"5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"w\":9,\"x\":0,\"y\":5},\"panelIndex\":\"8baff03a-7860-4fcc-90ff-3d5534e70845\",\"title\":\"Number of rogue SSIDs detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bcffdee9-d006-4e9c-abcc-081ac4739d02\":{\"columnOrder\":[\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\"],\"columns\":{\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"No. of SSID spoofing detected\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"cisco_meraki.event_subtype\",\"negate\":false,\"params\":{\"query\":\"ssid_spoofing_detected\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_meraki.event_subtype\":\"ssid_spoofing_detected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"86b75fce-daae-4725-8de4-6bcd5c7cc80a\",\"layerId\":\"bcffdee9-d006-4e9c-abcc-081ac4739d02\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":5,\"i\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"w\":9,\"x\":0,\"y\":10},\"panelIndex\":\"bcfe3eee-750d-476f-b7c1-afec41803720\",\"title\":\"Number of SSID spoofing detected\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9a165bef-572a-44fb-9285-70d75530b799\":{\"columnOrder\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\",\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\"],\"columns\":{\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.action\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.action\"},\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9df0ec49-bc15-494a-8ca7-437cd63ee7cd\",\"aca7f561-3ca9-4705-bf6e-e470d1fb0536\"],\"layerId\":\"9a165bef-572a-44fb-9285-70d75530b799\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5a195aa9-a6fa-45cd-94a7-89f782c9a638\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":24,\"i\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"w\":27,\"x\":0,\"y\":15},\"panelIndex\":\"e359d544-a8d6-4019-9756-74519a9d3335\",\"title\":\"Events by category and action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"09082ad3-0055-461d-bf69-2b69a5dfb298\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ce84cee6-da49-4261-beaa-628ca03abc52\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}]},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Green to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\",\\\"useCustomColorRamp\\\":false}},\\\"lineWidth\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":3}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"field\\\":{\\\"label\\\":\\\"count\\\",\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\",\\\"type\\\":\\\"number\\\",\\\"supportsAutoDomain\\\":true}}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"8dec8632-de8b-43df-9731-5c6c45ecb45f\\\",\\\"label\\\":\\\"src-dst-ip-p2p\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR\\\",\\\"joins\\\":[]}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.61,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-2y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[{\\\"meta\\\":{\\\"index\\\":\\\"logs-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"data_stream.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"cisco_meraki.log\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"data_stream.dataset\\\":\\\"cisco_meraki.log\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":19.50912,\"lon\":-10.59576,\"zoom\":0.61},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"w\":21,\"x\":27,\"y\":15},\"panelIndex\":\"beacf090-799a-415a-bbad-302cd02d50be\",\"title\":\"IP Flows\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"04c98418-d7c7-4552-9ed3-d0380795febd\":{\"columnOrder\":[\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"columns\":{\"1e47d004-4347-46ee-aed2-280f64e8888d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of url.original\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"url.original\"},\"4c2300ef-9033-45bd-8b0e-06deea3996f1\":{\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cisco_meraki.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cisco_meraki.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"],\"layerId\":\"04c98418-d7c7-4552-9ed3-d0380795febd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"xAccessor\":\"1e47d004-4347-46ee-aed2-280f64e8888d\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"4c2300ef-9033-45bd-8b0e-06deea3996f1\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"58d65007-15fc-492f-a8db-f509b7d28aad\",\"title\":\"Top URL access\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"w\":48,\"x\":0,\"y\":39},\"panelIndex\":\"a7fc4a8a-954f-4fc0-acfc-2d358c89b2c6\",\"title\":\"Log stream\",\"type\":\"LOG_STREAM_EMBEDDABLE\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Meraki Syslog Events] Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_meraki-4832a430-af22-11ec-a899-6f7e676e0fb4", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:indexpattern-datasource-layer-9f3c668f-fec6-4125-ae7b-fcb073df79c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "372a6801-2e52-4c4c-a674-746eec7f7e09:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:indexpattern-datasource-layer-511effff-5682-4cfa-a2de-739bbefa93ea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "03bf41fe-673d-4f95-9d6e-510d8dc46ba6:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:indexpattern-datasource-layer-abda3ec0-db97-4e02-a42e-45e716110de2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "475cb47c-34d7-4c56-b57d-e27d25678fc8:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58bbda58-7c31-44e1-8568-d37c2c585e53:indexpattern-datasource-layer-d8f74b4f-a83b-47bc-b862-2bc47ee790eb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:indexpattern-datasource-layer-5dc18b67-2c60-44c0-b3b5-7dd507bd4c3d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8baff03a-7860-4fcc-90ff-3d5534e70845:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bcfe3eee-750d-476f-b7c1-afec41803720:indexpattern-datasource-layer-bcffdee9-d006-4e9c-abcc-081ac4739d02", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bcfe3eee-750d-476f-b7c1-afec41803720:filter-index-pattern-1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e359d544-a8d6-4019-9756-74519a9d3335:indexpattern-datasource-layer-9a165bef-572a-44fb-9285-70d75530b799", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e359d544-a8d6-4019-9756-74519a9d3335:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "beacf090-799a-415a-bbad-302cd02d50be:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58d65007-15fc-492f-a8db-f509b7d28aad:indexpattern-datasource-layer-04c98418-d7c7-4552-9ed3-d0380795febd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58d65007-15fc-492f-a8db-f509b7d28aad:filter-index-pattern-0", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_meraki/1.2.3/manifest.yml b/packages/cisco_meraki/1.2.3/manifest.yml new file mode 100755 index 0000000000..316ddb55e3 --- /dev/null +++ b/packages/cisco_meraki/1.2.3/manifest.yml @@ -0,0 +1,50 @@ +format_version: 1.0.0 +name: cisco_meraki +title: Cisco Meraki +version: 1.2.3 +license: basic +description: Collect logs from Cisco Meraki with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/cisco-meraki-dashboard-1.png + title: Cisco Meraki Dashboard + size: 600x600 + type: image/png + - src: /img/cisco-meraki-dashboard-2.png + title: Cisco Meraki Dashboard + size: 600x600 + type: image/png + - src: /img/cisco-meraki-dashboard-3.png + title: Cisco Meraki Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/cisco-logo.svg + title: Cisco logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: cisco_meraki + title: Cisco Meraki logs or events + description: Collect logs or events from Cisco Meraki + inputs: + - type: udp + title: Collect syslog from Cisco Meraki via UDP + description: Collecting syslog from Cisco Meraki via UDP + - type: tcp + title: Collect syslog from Cisco Meraki via TCP + description: Collecting syslog from Cisco Meraki via TCP + - type: logfile + title: Collect syslog from Cisco Meraki via file + description: Collecting syslog from Cisco Meraki via file + - type: http_endpoint + title: Collect events from Cisco Meraki via Webhooks + description: Collecting events from Cisco Meraki via Webhooks +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_nexus/0.7.3/LICENSE.txt b/packages/cisco_nexus/0.7.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_nexus/0.7.3/changelog.yml b/packages/cisco_nexus/0.7.3/changelog.yml new file mode 100755 index 0000000000..151b57b2ba --- /dev/null +++ b/packages/cisco_nexus/0.7.3/changelog.yml @@ -0,0 +1,81 @@ +# newer versions go on top +- version: "0.7.3" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "0.7.2" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "0.7.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "0.7.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3843 +- version: "0.6.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.5.1" + changes: + - description: Updated readme file + type: enhancement + link: https://github.com/elastic/integrations/pull/2934 +- version: "0.5.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "0.4.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "0.4.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2581 +- version: "0.3.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2250 +- version: "0.2.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1957 +- version: "0.2.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1809 +- version: "0.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1786 +- version: "0.1.0" + changes: + - description: Initial implementation for splitting Cisco nexus from Cisco package + type: enhancement + link: https://github.com/elastic/integrations/pull/1588 diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d998957901 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,7179 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + + var dup60 = setc("dclass_counter1_string","Hit Count"); + + var dup61 = setc("eventcategory","1603100000"); + + var dup62 = setc("eventcategory","1701020000"); + + var dup63 = setc("eventcategory","1801000000"); + + var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var dup72 = setc("ec_outcome","Error"); + + var dup73 = setc("eventcategory","1703000000"); + + var dup74 = setc("obj_type","vPC"); + + var dup75 = setc("ec_subject","OS"); + + var dup76 = setc("ec_activity","Start"); + + var dup77 = setc("eventcategory","1801010000"); + + var dup78 = setc("ec_activity","Receive"); + + var dup79 = setc("ec_activity","Send"); + + var dup80 = setc("ec_activity","Create"); + + var dup81 = setc("event_description","Switchover completed."); + + var dup82 = setc("event_description","Invalid user"); + + var dup83 = setc("eventcategory","1401000000"); + + var dup84 = setc("ec_subject","Service"); + + var dup85 = setc("event_description","Duplicate address Detected."); + + var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup92 = linear_select([ + dup26, + dup27, + ]); + + var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var dup98 = linear_select([ + dup46, + dup47, + ]); + + var dup99 = linear_select([ + dup49, + dup50, + ]); + + var dup100 = linear_select([ + dup54, + dup55, + ]); + + var dup101 = linear_select([ + dup57, + dup58, + ]); + + var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup103 = linear_select([ + dup65, + dup66, + ]); + + var dup104 = linear_select([ + dup67, + dup68, + ]); + + var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup107 = linear_select([ + dup70, + dup71, + ]); + + var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), + ])); + + var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), + ])); + + var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), + ])); + + var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), + ])); + + var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), + ])); + + var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), + ])); + + var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + ]); + + var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); + + var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg2 = msg("SYSTEM_MSG", part1); + + var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg3 = msg("SYSTEM_MSG:12", part2); + + var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg4 = msg("SYSTEM_MSG:01", part3); + + var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg5 = msg("SYSTEM_MSG:11", part4); + + var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + + var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + + var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + + var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), + }); + + var msg6 = msg("SYSTEM_MSG:19", all1); + + var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg7 = msg("SYSTEM_MSG:02", part9); + + var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + + var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + + var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + + var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + + var select4 = linear_select([ + part13, + part14, + ]); + + var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); + + var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg8 = msg("SYSTEM_MSG:03", all2); + + var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg9 = msg("SYSTEM_MSG:04", part16); + + var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + + var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + + var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + + var select5 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + + var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg10 = msg("SYSTEM_MSG:05", all3); + + var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg11 = msg("SYSTEM_MSG:06", part21); + + var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg12 = msg("SYSTEM_MSG:07", part22); + + var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg13 = msg("SYSTEM_MSG:09", part23); + + var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg14 = msg("SYSTEM_MSG:10", part24); + + var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg15 = msg("SYSTEM_MSG:13", part25); + + var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg16 = msg("SYSTEM_MSG:14", part26); + + var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, + ])); + + var msg17 = msg("SYSTEM_MSG:15", part27); + + var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, + ])); + + var msg18 = msg("SYSTEM_MSG:16", part28); + + var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + + var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + + var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + + var select6 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + + var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg19 = msg("SYSTEM_MSG:17", all4); + + var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg20 = msg("SYSTEM_MSG:20", part33); + + var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, + ])); + + var msg21 = msg("SYSTEM_MSG:21", part34); + + var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg22 = msg("SYSTEM_MSG:22", part35); + + var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + ])); + + var msg23 = msg("SYSTEM_MSG:23", part36); + + var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + + var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); + + var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); + + var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), + }); + + var msg24 = msg("SYSTEM_MSG:24", all5); + + var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); + + var select8 = linear_select([ + part41, + dup21, + ]); + + var all6 = all_match({ + processors: [ + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg25 = msg("SYSTEM_MSG:08", all6); + + var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + ]); + + var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + + var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), + ])); + + var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + + var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg28 = msg("POLICY_COMMIT_EVENT", part44); + + var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), + ])); + + var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + + var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + + var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + + var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + + var select10 = linear_select([ + msg30, + msg31, + msg32, + ]); + + var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); + + var msg34 = msg("MTSERROR", dup86); + + var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + + var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); + + var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); + + var select11 = linear_select([ + msg36, + msg37, + ]); + + var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); + + var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); + + var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + + var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); + + var select12 = linear_select([ + msg40, + msg41, + ]); + + var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); + + var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); + + var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), + ])); + + var msg44 = msg("IF_DUPLEX", part51); + + var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + + var all7 = all_match({ + processors: [ + part52, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), + }); + + var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + + var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg46 = msg("IF_SEQ_ERROR", part53); + + var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + + var all8 = all_match({ + processors: [ + part54, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), + }); + + var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + + var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), + ])); + + var msg48 = msg("IF_UP", part55); + + var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), + ])); + + var msg49 = msg("IF_UP:01", part56); + + var select13 = linear_select([ + msg48, + msg49, + ]); + + var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), + ])); + + var msg50 = msg("SPEED", part57); + + var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg51 = msg("CREATED", part58); + + var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg52 = msg("FOP_CHANGED", part59); + + var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg53 = msg("PORT_DOWN", part60); + + var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg54 = msg("PORT_UP", part61); + + var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + + var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + + var msg57 = msg("MTS_DROP", dup87); + + var msg58 = msg("SYSLOG_LOG_WARNING", dup87); + + var msg59 = msg("IM_SEQ_ERROR", dup93); + + var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); + + var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); + + var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); + + var msg63 = msg("IMG_DNLD_COMPLETE", dup87); + + var msg64 = msg("IMG_DNLD_STARTED", dup87); + + var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + + var msg66 = msg("MSM_CRIT", dup93); + + var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + + var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); + + var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg69 = msg("MOD_FAIL", part66); + + var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg70 = msg("MOD_MAJORSWFAIL", part67); + + var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + + var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg72 = msg("MOD_WARNING:01", part69); + + var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg73 = msg("MOD_WARNING", part70); + + var select14 = linear_select([ + msg72, + msg73, + ]); + + var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg74 = msg("ACTIVE_SUP_OK", part71); + + var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg75 = msg("MOD_OK", part72); + + var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg76 = msg("MOD_RESTART", part73); + + var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), + ])); + + var msg77 = msg("DISPUTE_CLEARED", part74); + + var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), + ])); + + var msg78 = msg("DISPUTE_DETECTED", part75); + + var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); + + var msg80 = msg("CHASSIS_CLKMODOK", dup87); + + var msg81 = msg("CHASSIS_CLKSRC", dup87); + + var msg82 = msg("FAN_OK", dup87); + + var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg83 = msg("MOD_DETECT", part76); + + var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg84 = msg("MOD_PWRDN", part77); + + var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg85 = msg("MOD_PWRUP", part78); + + var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg86 = msg("MOD_REMOVE", part79); + + var msg87 = msg("PFM_MODULE_POWER_ON", dup87); + + var msg88 = msg("PFM_SYSTEM_RESET", dup87); + + var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); + + var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); + + var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); + + var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); + + var msg93 = msg("PFM_VEM_UNLICENSED", dup87); + + var msg94 = msg("PS_FANOK", dup87); + + var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg95 = msg("PS_OK", part80); + + var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + + var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg97 = msg("FAN_DETECT", part82); + + var msg98 = msg("MOD_STATUS", dup87); + + var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), + ])); + + var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + + var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg100 = msg("PEER_VPC_DELETED", part84); + + var msg101 = msg("PFM_VEM_DETECTED", dup87); + + var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg102 = msg("PS_FOUND", part85); + + var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); + + var select15 = linear_select([ + part86, + dup21, + ]); + + var all9 = all_match({ + processors: [ + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg103 = msg("PS_STATUS", all9); + + var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + + var msg105 = msg("PS_CAPACITY_CHANGE", dup87); + + var select16 = linear_select([ + msg104, + msg105, + ]); + + var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); + + var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); + + var select17 = linear_select([ + msg106, + msg107, + ]); + + var msg108 = msg("IF_DOWN_INITIALIZING", dup90); + + var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); + + var select18 = linear_select([ + msg108, + msg109, + ]); + + var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg110 = msg("IF_DOWN_NONE", part88); + + var msg111 = msg("IF_DOWN_NONE:01", dup96); + + var select19 = linear_select([ + msg110, + msg111, + ]); + + var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); + + var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); + + var select20 = linear_select([ + msg112, + msg113, + ]); + + var msg114 = msg("IF_DOWN_OFFLINE", dup88); + + var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); + + var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + + var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); + + var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg118 = msg("IF_TRUNK_DOWN", part90); + + var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg119 = msg("IF_TRUNK_DOWN:01", part91); + + var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg120 = msg("IF_TRUNK_DOWN:02", part92); + + var select21 = linear_select([ + msg118, + msg119, + msg120, + ]); + + var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg121 = msg("IF_TRUNK_UP", part93); + + var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg122 = msg("IF_TRUNK_UP:01", part94); + + var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg123 = msg("IF_TRUNK_UP:02", part95); + + var select22 = linear_select([ + msg121, + msg122, + msg123, + ]); + + var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); + + var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + + var msg126 = msg("STANDBY_SUP_OK", dup87); + + var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), + ])); + + var msg127 = msg("STM_LOOP_DETECT", part97); + + var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg128 = msg("SYNC_COMPLETE", part98); + + var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); + + var msg130 = msg("MESG", dup87); + + var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg131 = msg("ERR_MSG", part99); + + var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); + + var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + + var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg134 = msg("CFGWRITE_FAILED", part101); + + var msg135 = msg("CFGWRITE_ABORTED", dup87); + + var msg136 = msg("CFGWRITE_DONE", dup87); + + var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); + + var select23 = linear_select([ + part102, + dup21, + ]); + + var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg137 = msg("CFGWRITE_STARTED", all10); + + var msg138 = msg("IF_ATTACHED", dup87); + + var msg139 = msg("IF_DELETE_AUTO", dup94); + + var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg140 = msg("IF_DETACHED", part103); + + var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); + + var msg142 = msg("IF_DOWN_INACTIVE", dup88); + + var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); + + var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); + + var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, + dup2, + dup3, + dup4, + ])); + + var msg145 = msg("CONN_CONNECT", part105); + + var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, + ])); + + var msg146 = msg("CONN_DISCONNECT", part106); + + var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg147 = msg("DVPG_CREATE", part107); + + var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg148 = msg("DVPG_DELETE", part108); + + var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); + + var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg150 = msg("DVS_NAME_CHANGE", part109); + + var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); + + var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg152 = msg("VPC_DELETED", part110); + + var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), + ])); + + var msg153 = msg("VPC_UP", part111); + + var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + + var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + + var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); + + var select24 = linear_select([ + part113, + part114, + ]); + + var all11 = all_match({ + processors: [ + part112, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + + var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); + + var select25 = linear_select([ + msg154, + msg155, + ]); + + var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); + + var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); + + var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), + ])); + + var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); + + var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); + + var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); + + var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); + + var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + ])); + + var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); + + var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); + + var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); + + var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); + + var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); + + var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); + + var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); + + var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); + + var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); + + var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); + + var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + + var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var select26 = linear_select([ + part132, + part133, + ]); + + var all12 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + + var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + + var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var all13 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + + var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); + + var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup44, + ])); + + var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); + + var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup44, + ])); + + var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); + + var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); + + var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); + + var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); + + var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); + + var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); + + var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); + + var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), + ])); + + var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); + + var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); + + var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); + + var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); + + var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + ]); + + var all14 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup60, + ]), + }); + + var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + + var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); + + var all15 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup60, + ]), + }); + + var msg189 = msg("ACLLOG_NEW_FLOW", all15); + + var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), + ])); + + var msg190 = msg("DUP_VADDR_SRC_IP", part150); + + var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); + + var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); + + var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); + + var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg194 = msg("PFM_CLOCK_CHANGE", part154); + + var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); + + var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg196 = msg("snmpd", part156); + + var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg197 = msg("snmpd:01", part157); + + var select29 = linear_select([ + msg196, + msg197, + ]); + + var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg198 = msg("CFGWRITE_USER_ABORT", part158); + + var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); + + var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), + ])); + + var msg200 = msg("last", part159); + + var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg201 = msg("SERVICE_CRASHED", part160); + + var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), + ])); + + var msg202 = msg("SERVICELOST", part161); + + var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); + + var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + + var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + + var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + + var select30 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); + + var all16 = all_match({ + processors: [ + part163, + select30, + part166, + ], + on_success: processor_chain([ + dup23, + dup2, + dup3, + dup4, + ]), + }); + + var msg204 = msg("PS_FAIL", all16); + + var msg205 = msg("INFORMATION", dup87); + + var msg206 = msg("EVENT", dup87); + + var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); + + var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg208 = msg("NEIGHBOR_ADDED", part168); + + var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg209 = msg("NEIGHBOR_REMOVED", part169); + + var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); + + var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); + + var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); + + var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg213 = msg("PORT_SUSPENDED", part173); + + var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), + ])); + + var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); + + var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); + + var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); + + var msg217 = msg("ADJCHANGE", dup87); + + var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg218 = msg("PORT_ADDED", part175); + + var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg219 = msg("PORT_DELETED", part176); + + var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + ])); + + var msg220 = msg("PORT_ROLE", part177); + + var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), + ])); + + var msg221 = msg("PORT_STATE", part178); + + var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); + + var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); + + var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); + + var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + + var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + + var select31 = linear_select([ + part183, + part184, + ]); + + var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + + var all17 = all_match({ + processors: [ + part182, + select31, + part185, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + + var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); + + var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","Performing configuration copy"), + ])); + + var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); + + var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + + var all18 = all_match({ + processors: [ + dup64, + dup103, + part188, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), + }); + + var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + + var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + + var all19 = all_match({ + processors: [ + dup64, + dup103, + part189, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + + var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + ]); + + var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); + + var msg231 = msg("IF_SFP_WARNING", dup105); + + var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); + + var msg233 = msg("FCIP_PEER_CAVIUM", dup87); + + var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); + + var msg235 = msg("IF_DOWN_PEER_RESET", dup106); + + var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), + ])); + + var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); + + var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), + ])); + + var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); + + var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); + + var msg239 = msg("IF_HARDWARE", dup105); + + var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, + ])); + + var msg240 = msg("HEARTBEAT_FAILURE", part192); + + var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); + + var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); + + var msg243 = msg("MOUNT", dup87); + + var msg244 = msg("LOG_CMP_UP", dup87); + + var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); + + var all20 = all_match({ + processors: [ + dup69, + dup107, + part193, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg245 = msg("IF_XCVR_WARNING", all20); + + var msg246 = msg("IF_XCVR_WARNING:01", dup108); + + var select33 = linear_select([ + msg245, + msg246, + ]); + + var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); + + var all21 = all_match({ + processors: [ + dup69, + dup107, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg247 = msg("IF_XCVR_ALARM", all21); + + var msg248 = msg("IF_XCVR_ALARM:01", dup108); + + var select34 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("MEMORY_ALERT", dup87); + + var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); + + var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); + + var all22 = all_match({ + processors: [ + dup69, + dup107, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg251 = msg("IF_SFP_ALARM", all22); + + var msg252 = msg("IF_SFP_ALARM:01", dup108); + + var select35 = linear_select([ + msg251, + msg252, + ]); + + var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var msg253 = msg("NBRCHANGE_DUAL", part196); + + var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); + + var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + + var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); + + var select36 = linear_select([ + part198, + part199, + ]); + + var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); + + var all23 = all_match({ + processors: [ + part197, + select36, + part200, + ], + on_success: processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), + }); + + var msg254 = msg("SOHMS_DIAG_ERROR", all23); + + var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), + ])); + + var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + + var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + + var select37 = linear_select([ + msg254, + msg255, + msg256, + ]); + + var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), + ])); + + var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + + var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), + ])); + + var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + + var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), + ])); + + var msg259 = msg("IF_ADMIN_UP", part205); + + var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup74, + ])); + + var msg260 = msg("VPC_CFGD", part206); + + var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup30, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), + ])); + + var msg261 = msg("MODULE_ONLINE", part207); + + var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup30, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), + ])); + + var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + + var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup77, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup74, + ])); + + var msg263 = msg("PEER_VPC_DOWN", part209); + + var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + + var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + + var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + + var select38 = linear_select([ + part211, + part212, + ]); + + var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + + var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + + var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + + var select39 = linear_select([ + part214, + part215, + ]); + + var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + + var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), + }); + + var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + + var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup36, + dup34, + dup78, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), + ])); + + var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + + var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), + ])); + + var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + + var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), + ])); + + var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + + var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), + ])); + + var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + + var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup30, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), + ])); + + var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + + var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), + ])); + + var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + + var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup29, + setc("ec_activity","Detect"), + dup38, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), + ])); + + var msg271 = msg("XBAR_DETECT", part223); + + var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), + ])); + + var msg272 = msg("XBAR_PWRUP", part224); + + var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), + ])); + + var msg273 = msg("XBAR_PWRDN", part225); + + var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), + ])); + + var msg274 = msg("XBAR_OK", part226); + + var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), + ])); + + var msg275 = msg("VPC_ISSU_START", part227); + + var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), + ])); + + var msg276 = msg("VPC_ISSU_END", part228); + + var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), + ])); + + var msg277 = msg("PORT_RANGE_ROLE", part229); + + var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), + ])); + + var msg278 = msg("PORT_RANGE_STATE", part230); + + var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), + ])); + + var msg279 = msg("PORT_RANGE_DELETED", part231); + + var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup29, + dup34, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), + ])); + + var msg280 = msg("PORT_RANGE_ADDED", part232); + + var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), + ])); + + var msg281 = msg("MST_PORT_BOUNDARY", part233); + + var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), + ])); + + var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + + var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), + ])); + + var msg283 = msg("IM_INTF_STATE", part235); + + var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup62, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), + ])); + + var msg284 = msg("VDC_STATE_CHANGE", part236); + + var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup81, + ])); + + var msg285 = msg("SWITCHOVER_OVER", part237); + + var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup62, + dup16, + dup38, + dup2, + dup3, + dup4, + dup81, + setc("obj_type"," New Module type"), + ])); + + var msg286 = msg("VDC_MODULETYPE", part238); + + var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup77, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), + ])); + + var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + + var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), + ])); + + var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + + var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), + ])); + + var msg289 = msg("MODULE_LOCK_FAILED", part241); + + var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), + ])); + + var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + + var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup29, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), + ])); + + var msg291 = msg("SERVER_ADDED", part243); + + var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup24, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), + ])); + + var msg292 = msg("SERVER_REMOVED", part244); + + var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + + var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), + ])); + + var msg294 = msg("PORT_INDIVIDUAL", part246); + + var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + + var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), + ])); + + var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + + var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), + ])); + + var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + + var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), + ])); + + var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + + var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), + ])); + + var msg299 = msg("READCONF_STARTED", part251); + + var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), + ])); + + var msg300 = msg("SUP_POWERDOWN", part252); + + var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), + ])); + + var msg301 = msg("LC_UPGRADE_START", part253); + + var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), + ])); + + var msg302 = msg("LC_UPGRADE_REBOOT", part254); + + var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), + ])); + + var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + + var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), + ])); + + var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + + var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), + ])); + + var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + + var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), + ])); + + var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + + var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup63, + dup34, + dup78, + dup35, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), + ])); + + var msg307 = msg("FIPS_POST_INFO_MSG", part259); + + var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup74, + ])); + + var msg308 = msg("PEER_VPC_CFGD", part260); + + var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), + ])); + + var msg309 = msg("SYN_COLL_DIS_EN", part261); + + var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), + ])); + + var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + + var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), + ])); + + var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + + var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), + ])); + + var msg312 = msg("FEX_STATUS_online", part264); + + var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), + ])); + + var msg313 = msg("FEX_STATUS_offline", part265); + + var select40 = linear_select([ + msg312, + msg313, + ]); + + var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup73, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), + ])); + + var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + + var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), + ])); + + var msg315 = msg("PS_RED_MODE_RESTORED", part267); + + var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), + ])); + + var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + + var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), + ])); + + var msg317 = msg("PINNING_CHANGED", part269); + + var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), + ])); + + var msg318 = msg("SATCTRL", part270); + + var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), + ])); + + var msg319 = msg("DUP_REGISTER", part271); + + var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), + ])); + + var msg320 = msg("UNKNOWN_MTYPE", part272); + + var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + ])); + + var msg321 = msg("SATCTRL_IMAGE", part273); + + var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, + ])); + + var msg322 = msg("API_FAILED", part274); + + var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg323 = msg("SENSOR_MSG1", part275); + + var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg324 = msg("API_INIT_SEM_CLEAR", part276); + + var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), + ])); + + var msg325 = msg("VDC_ONLINE", part277); + + var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), + ])); + + var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + + var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg327 = msg("dstats", part279); + + var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup77, + dup34, + setc("ec_activity","Logoff"), + dup35, + dup2, + dup3, + dup4, + ])); + + var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + + var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup77, + dup34, + dup13, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + + var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); + + var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg331 = msg("ZS_MERGE_FAILED", part282); + + var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); + + var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup23, + dup34, + dup35, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), + ])); + + var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + + var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg334 = msg("zone", part284); + + var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg335 = msg("ERROR", part285); + + var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg336 = msg("INVAL_IP", part286); + + var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + + var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg338 = msg("DUPLEX_MISMATCH", part288); + + var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg339 = msg("NOHMS_DIAG_ERROR", part289); + + var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup34, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + + var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg341 = msg("UDLD_PORT_DISABLED", part291); + + var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg342 = msg("ntpd", part292); + + var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg343 = msg("ntpd:01", part293); + + var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg344 = msg("ntpd:02", part294); + + var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg345 = msg("ntpd:03", part295); + + var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg346 = msg("ntpd:04", part296); + + var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg347 = msg("PFM_ALERT", part297); + + var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), + ])); + + var msg348 = msg("SERVICEFOUND", part298); + + var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), + ])); + + var msg349 = msg("ROUTERFOUND", part299); + + var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), + ])); + + var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + + var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), + ])); + + var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + + var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + ])); + + var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + + var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), + ])); + + var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + + var select42 = linear_select([ + msg352, + msg353, + ]); + + var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + + var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + + var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + + var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), + ])); + + var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + + var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), + ])); + + var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + + var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), + ])); + + var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + + var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), + ])); + + var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + + var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + ])); + + var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + + var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + ]); + + var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup30, + dup2, + dup4, + setc("ec_activity","Disable"), + ])); + + var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + + var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup30, + dup2, + dup4, + dup37, + ])); + + var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + + var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg364 = msg("PS_ABSENT", part314); + + var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg365 = msg("PS_DETECT", part315); + + var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg366 = msg("SUBPROC_TERMINATED", part316); + + var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup17, + ])); + + var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + + var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup30, + dup2, + dup4, + ])); + + var msg368 = msg("UPDOWN", part318); + + var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup4, + setc("change_attribute","Interface"), + ])); + + var msg369 = msg("L2FM_MAC_MOVE2", part319); + + var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + + var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg371 = msg("PS_RED_MODE_CHG", part321); + + var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg372 = msg("INVAL_MAC", part322); + + var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), + ])); + + var msg373 = msg("SRVSTATE_CHANGED", part323); + + var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg374 = msg("INFO", part324); + + var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup76, + dup17, + ])); + + var msg375 = msg("SERVICE_STARTED", part325); + + var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + + var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg377 = msg("DUP_SRCIP_PROBE", part327); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), + ]); + + var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); + + var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + + var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + + var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + + var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + + var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + + var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + + var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + + var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + + var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + + var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + + var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + + var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + + var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + + var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + + var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + + var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + + var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + + var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + + var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + + var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + + var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var select44 = linear_select([ + dup26, + dup27, + ]); + + var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var select45 = linear_select([ + dup46, + dup47, + ]); + + var select46 = linear_select([ + dup49, + dup50, + ]); + + var select47 = linear_select([ + dup54, + dup55, + ]); + + var select48 = linear_select([ + dup57, + dup58, + ]); + + var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select49 = linear_select([ + dup65, + dup66, + ]); + + var select50 = linear_select([ + dup67, + dup68, + ]); + + var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select51 = linear_select([ + dup70, + dup71, + ]); + + var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..9de232f8f2 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,7176 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + + var dup60 = setc("dclass_counter1_string","Hit Count"); + + var dup61 = setc("eventcategory","1603100000"); + + var dup62 = setc("eventcategory","1701020000"); + + var dup63 = setc("eventcategory","1801000000"); + + var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var dup72 = setc("ec_outcome","Error"); + + var dup73 = setc("eventcategory","1703000000"); + + var dup74 = setc("obj_type","vPC"); + + var dup75 = setc("ec_subject","OS"); + + var dup76 = setc("ec_activity","Start"); + + var dup77 = setc("eventcategory","1801010000"); + + var dup78 = setc("ec_activity","Receive"); + + var dup79 = setc("ec_activity","Send"); + + var dup80 = setc("ec_activity","Create"); + + var dup81 = setc("event_description","Switchover completed."); + + var dup82 = setc("event_description","Invalid user"); + + var dup83 = setc("eventcategory","1401000000"); + + var dup84 = setc("ec_subject","Service"); + + var dup85 = setc("event_description","Duplicate address Detected."); + + var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup92 = linear_select([ + dup26, + dup27, + ]); + + var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var dup98 = linear_select([ + dup46, + dup47, + ]); + + var dup99 = linear_select([ + dup49, + dup50, + ]); + + var dup100 = linear_select([ + dup54, + dup55, + ]); + + var dup101 = linear_select([ + dup57, + dup58, + ]); + + var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup103 = linear_select([ + dup65, + dup66, + ]); + + var dup104 = linear_select([ + dup67, + dup68, + ]); + + var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup107 = linear_select([ + dup70, + dup71, + ]); + + var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), + ])); + + var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), + ])); + + var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), + ])); + + var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), + ])); + + var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), + ])); + + var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), + ])); + + var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + ]); + + var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); + + var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg2 = msg("SYSTEM_MSG", part1); + + var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg3 = msg("SYSTEM_MSG:12", part2); + + var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg4 = msg("SYSTEM_MSG:01", part3); + + var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg5 = msg("SYSTEM_MSG:11", part4); + + var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + + var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + + var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + + var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), + }); + + var msg6 = msg("SYSTEM_MSG:19", all1); + + var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg7 = msg("SYSTEM_MSG:02", part9); + + var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + + var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + + var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + + var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + + var select4 = linear_select([ + part13, + part14, + ]); + + var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); + + var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg8 = msg("SYSTEM_MSG:03", all2); + + var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg9 = msg("SYSTEM_MSG:04", part16); + + var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + + var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + + var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + + var select5 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + + var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg10 = msg("SYSTEM_MSG:05", all3); + + var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg11 = msg("SYSTEM_MSG:06", part21); + + var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg12 = msg("SYSTEM_MSG:07", part22); + + var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg13 = msg("SYSTEM_MSG:09", part23); + + var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg14 = msg("SYSTEM_MSG:10", part24); + + var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg15 = msg("SYSTEM_MSG:13", part25); + + var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg16 = msg("SYSTEM_MSG:14", part26); + + var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, + ])); + + var msg17 = msg("SYSTEM_MSG:15", part27); + + var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, + ])); + + var msg18 = msg("SYSTEM_MSG:16", part28); + + var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + + var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + + var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + + var select6 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + + var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg19 = msg("SYSTEM_MSG:17", all4); + + var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg20 = msg("SYSTEM_MSG:20", part33); + + var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, + ])); + + var msg21 = msg("SYSTEM_MSG:21", part34); + + var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg22 = msg("SYSTEM_MSG:22", part35); + + var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + ])); + + var msg23 = msg("SYSTEM_MSG:23", part36); + + var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + + var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); + + var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); + + var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), + }); + + var msg24 = msg("SYSTEM_MSG:24", all5); + + var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); + + var select8 = linear_select([ + part41, + dup21, + ]); + + var all6 = all_match({ + processors: [ + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg25 = msg("SYSTEM_MSG:08", all6); + + var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + ]); + + var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + + var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), + ])); + + var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + + var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg28 = msg("POLICY_COMMIT_EVENT", part44); + + var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), + ])); + + var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + + var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + + var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + + var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + + var select10 = linear_select([ + msg30, + msg31, + msg32, + ]); + + var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); + + var msg34 = msg("MTSERROR", dup86); + + var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + + var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); + + var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); + + var select11 = linear_select([ + msg36, + msg37, + ]); + + var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); + + var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); + + var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + + var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); + + var select12 = linear_select([ + msg40, + msg41, + ]); + + var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); + + var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); + + var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), + ])); + + var msg44 = msg("IF_DUPLEX", part51); + + var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + + var all7 = all_match({ + processors: [ + part52, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), + }); + + var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + + var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg46 = msg("IF_SEQ_ERROR", part53); + + var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + + var all8 = all_match({ + processors: [ + part54, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), + }); + + var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + + var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), + ])); + + var msg48 = msg("IF_UP", part55); + + var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), + ])); + + var msg49 = msg("IF_UP:01", part56); + + var select13 = linear_select([ + msg48, + msg49, + ]); + + var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), + ])); + + var msg50 = msg("SPEED", part57); + + var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg51 = msg("CREATED", part58); + + var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg52 = msg("FOP_CHANGED", part59); + + var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg53 = msg("PORT_DOWN", part60); + + var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg54 = msg("PORT_UP", part61); + + var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + + var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + + var msg57 = msg("MTS_DROP", dup87); + + var msg58 = msg("SYSLOG_LOG_WARNING", dup87); + + var msg59 = msg("IM_SEQ_ERROR", dup93); + + var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); + + var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); + + var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); + + var msg63 = msg("IMG_DNLD_COMPLETE", dup87); + + var msg64 = msg("IMG_DNLD_STARTED", dup87); + + var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + + var msg66 = msg("MSM_CRIT", dup93); + + var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + + var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); + + var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg69 = msg("MOD_FAIL", part66); + + var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg70 = msg("MOD_MAJORSWFAIL", part67); + + var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + + var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg72 = msg("MOD_WARNING:01", part69); + + var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg73 = msg("MOD_WARNING", part70); + + var select14 = linear_select([ + msg72, + msg73, + ]); + + var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg74 = msg("ACTIVE_SUP_OK", part71); + + var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg75 = msg("MOD_OK", part72); + + var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg76 = msg("MOD_RESTART", part73); + + var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), + ])); + + var msg77 = msg("DISPUTE_CLEARED", part74); + + var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), + ])); + + var msg78 = msg("DISPUTE_DETECTED", part75); + + var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); + + var msg80 = msg("CHASSIS_CLKMODOK", dup87); + + var msg81 = msg("CHASSIS_CLKSRC", dup87); + + var msg82 = msg("FAN_OK", dup87); + + var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg83 = msg("MOD_DETECT", part76); + + var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg84 = msg("MOD_PWRDN", part77); + + var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg85 = msg("MOD_PWRUP", part78); + + var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg86 = msg("MOD_REMOVE", part79); + + var msg87 = msg("PFM_MODULE_POWER_ON", dup87); + + var msg88 = msg("PFM_SYSTEM_RESET", dup87); + + var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); + + var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); + + var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); + + var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); + + var msg93 = msg("PFM_VEM_UNLICENSED", dup87); + + var msg94 = msg("PS_FANOK", dup87); + + var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg95 = msg("PS_OK", part80); + + var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + + var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg97 = msg("FAN_DETECT", part82); + + var msg98 = msg("MOD_STATUS", dup87); + + var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), + ])); + + var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + + var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg100 = msg("PEER_VPC_DELETED", part84); + + var msg101 = msg("PFM_VEM_DETECTED", dup87); + + var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg102 = msg("PS_FOUND", part85); + + var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); + + var select15 = linear_select([ + part86, + dup21, + ]); + + var all9 = all_match({ + processors: [ + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg103 = msg("PS_STATUS", all9); + + var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + + var msg105 = msg("PS_CAPACITY_CHANGE", dup87); + + var select16 = linear_select([ + msg104, + msg105, + ]); + + var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); + + var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); + + var select17 = linear_select([ + msg106, + msg107, + ]); + + var msg108 = msg("IF_DOWN_INITIALIZING", dup90); + + var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); + + var select18 = linear_select([ + msg108, + msg109, + ]); + + var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg110 = msg("IF_DOWN_NONE", part88); + + var msg111 = msg("IF_DOWN_NONE:01", dup96); + + var select19 = linear_select([ + msg110, + msg111, + ]); + + var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); + + var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); + + var select20 = linear_select([ + msg112, + msg113, + ]); + + var msg114 = msg("IF_DOWN_OFFLINE", dup88); + + var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); + + var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + + var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); + + var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg118 = msg("IF_TRUNK_DOWN", part90); + + var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg119 = msg("IF_TRUNK_DOWN:01", part91); + + var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg120 = msg("IF_TRUNK_DOWN:02", part92); + + var select21 = linear_select([ + msg118, + msg119, + msg120, + ]); + + var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg121 = msg("IF_TRUNK_UP", part93); + + var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg122 = msg("IF_TRUNK_UP:01", part94); + + var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg123 = msg("IF_TRUNK_UP:02", part95); + + var select22 = linear_select([ + msg121, + msg122, + msg123, + ]); + + var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); + + var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + + var msg126 = msg("STANDBY_SUP_OK", dup87); + + var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), + ])); + + var msg127 = msg("STM_LOOP_DETECT", part97); + + var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg128 = msg("SYNC_COMPLETE", part98); + + var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); + + var msg130 = msg("MESG", dup87); + + var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg131 = msg("ERR_MSG", part99); + + var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); + + var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + + var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg134 = msg("CFGWRITE_FAILED", part101); + + var msg135 = msg("CFGWRITE_ABORTED", dup87); + + var msg136 = msg("CFGWRITE_DONE", dup87); + + var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); + + var select23 = linear_select([ + part102, + dup21, + ]); + + var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg137 = msg("CFGWRITE_STARTED", all10); + + var msg138 = msg("IF_ATTACHED", dup87); + + var msg139 = msg("IF_DELETE_AUTO", dup94); + + var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg140 = msg("IF_DETACHED", part103); + + var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); + + var msg142 = msg("IF_DOWN_INACTIVE", dup88); + + var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); + + var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); + + var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, + dup2, + dup3, + dup4, + ])); + + var msg145 = msg("CONN_CONNECT", part105); + + var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, + ])); + + var msg146 = msg("CONN_DISCONNECT", part106); + + var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg147 = msg("DVPG_CREATE", part107); + + var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg148 = msg("DVPG_DELETE", part108); + + var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); + + var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg150 = msg("DVS_NAME_CHANGE", part109); + + var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); + + var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg152 = msg("VPC_DELETED", part110); + + var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), + ])); + + var msg153 = msg("VPC_UP", part111); + + var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + + var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + + var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); + + var select24 = linear_select([ + part113, + part114, + ]); + + var all11 = all_match({ + processors: [ + part112, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + + var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); + + var select25 = linear_select([ + msg154, + msg155, + ]); + + var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); + + var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); + + var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), + ])); + + var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); + + var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); + + var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); + + var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); + + var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + ])); + + var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); + + var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); + + var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); + + var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); + + var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); + + var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); + + var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); + + var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); + + var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); + + var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); + + var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + + var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var select26 = linear_select([ + part132, + part133, + ]); + + var all12 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + + var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + + var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var all13 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + + var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); + + var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup44, + ])); + + var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); + + var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup44, + ])); + + var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); + + var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); + + var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); + + var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); + + var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); + + var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); + + var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); + + var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), + ])); + + var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); + + var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); + + var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); + + var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); + + var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + ]); + + var all14 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup60, + ]), + }); + + var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + + var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); + + var all15 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup60, + ]), + }); + + var msg189 = msg("ACLLOG_NEW_FLOW", all15); + + var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), + ])); + + var msg190 = msg("DUP_VADDR_SRC_IP", part150); + + var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); + + var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); + + var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); + + var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg194 = msg("PFM_CLOCK_CHANGE", part154); + + var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); + + var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg196 = msg("snmpd", part156); + + var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg197 = msg("snmpd:01", part157); + + var select29 = linear_select([ + msg196, + msg197, + ]); + + var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg198 = msg("CFGWRITE_USER_ABORT", part158); + + var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); + + var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), + ])); + + var msg200 = msg("last", part159); + + var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg201 = msg("SERVICE_CRASHED", part160); + + var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), + ])); + + var msg202 = msg("SERVICELOST", part161); + + var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); + + var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + + var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + + var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + + var select30 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); + + var all16 = all_match({ + processors: [ + part163, + select30, + part166, + ], + on_success: processor_chain([ + dup23, + dup2, + dup3, + dup4, + ]), + }); + + var msg204 = msg("PS_FAIL", all16); + + var msg205 = msg("INFORMATION", dup87); + + var msg206 = msg("EVENT", dup87); + + var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); + + var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg208 = msg("NEIGHBOR_ADDED", part168); + + var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg209 = msg("NEIGHBOR_REMOVED", part169); + + var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); + + var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); + + var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); + + var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg213 = msg("PORT_SUSPENDED", part173); + + var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), + ])); + + var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); + + var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); + + var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); + + var msg217 = msg("ADJCHANGE", dup87); + + var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg218 = msg("PORT_ADDED", part175); + + var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg219 = msg("PORT_DELETED", part176); + + var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + ])); + + var msg220 = msg("PORT_ROLE", part177); + + var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), + ])); + + var msg221 = msg("PORT_STATE", part178); + + var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); + + var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); + + var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); + + var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + + var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + + var select31 = linear_select([ + part183, + part184, + ]); + + var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + + var all17 = all_match({ + processors: [ + part182, + select31, + part185, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + + var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); + + var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","Performing configuration copy"), + ])); + + var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); + + var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + + var all18 = all_match({ + processors: [ + dup64, + dup103, + part188, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), + }); + + var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + + var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + + var all19 = all_match({ + processors: [ + dup64, + dup103, + part189, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + + var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + ]); + + var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); + + var msg231 = msg("IF_SFP_WARNING", dup105); + + var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); + + var msg233 = msg("FCIP_PEER_CAVIUM", dup87); + + var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); + + var msg235 = msg("IF_DOWN_PEER_RESET", dup106); + + var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), + ])); + + var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); + + var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), + ])); + + var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); + + var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); + + var msg239 = msg("IF_HARDWARE", dup105); + + var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, + ])); + + var msg240 = msg("HEARTBEAT_FAILURE", part192); + + var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); + + var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); + + var msg243 = msg("MOUNT", dup87); + + var msg244 = msg("LOG_CMP_UP", dup87); + + var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); + + var all20 = all_match({ + processors: [ + dup69, + dup107, + part193, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg245 = msg("IF_XCVR_WARNING", all20); + + var msg246 = msg("IF_XCVR_WARNING:01", dup108); + + var select33 = linear_select([ + msg245, + msg246, + ]); + + var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); + + var all21 = all_match({ + processors: [ + dup69, + dup107, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg247 = msg("IF_XCVR_ALARM", all21); + + var msg248 = msg("IF_XCVR_ALARM:01", dup108); + + var select34 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("MEMORY_ALERT", dup87); + + var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); + + var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); + + var all22 = all_match({ + processors: [ + dup69, + dup107, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg251 = msg("IF_SFP_ALARM", all22); + + var msg252 = msg("IF_SFP_ALARM:01", dup108); + + var select35 = linear_select([ + msg251, + msg252, + ]); + + var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var msg253 = msg("NBRCHANGE_DUAL", part196); + + var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); + + var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + + var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); + + var select36 = linear_select([ + part198, + part199, + ]); + + var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); + + var all23 = all_match({ + processors: [ + part197, + select36, + part200, + ], + on_success: processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), + }); + + var msg254 = msg("SOHMS_DIAG_ERROR", all23); + + var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), + ])); + + var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + + var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + + var select37 = linear_select([ + msg254, + msg255, + msg256, + ]); + + var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), + ])); + + var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + + var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), + ])); + + var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + + var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), + ])); + + var msg259 = msg("IF_ADMIN_UP", part205); + + var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup74, + ])); + + var msg260 = msg("VPC_CFGD", part206); + + var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup30, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), + ])); + + var msg261 = msg("MODULE_ONLINE", part207); + + var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup30, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), + ])); + + var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + + var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup77, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup74, + ])); + + var msg263 = msg("PEER_VPC_DOWN", part209); + + var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + + var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + + var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + + var select38 = linear_select([ + part211, + part212, + ]); + + var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + + var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + + var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + + var select39 = linear_select([ + part214, + part215, + ]); + + var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + + var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), + }); + + var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + + var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup36, + dup34, + dup78, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), + ])); + + var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + + var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), + ])); + + var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + + var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), + ])); + + var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + + var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), + ])); + + var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + + var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup30, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), + ])); + + var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + + var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), + ])); + + var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + + var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup29, + setc("ec_activity","Detect"), + dup38, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), + ])); + + var msg271 = msg("XBAR_DETECT", part223); + + var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), + ])); + + var msg272 = msg("XBAR_PWRUP", part224); + + var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), + ])); + + var msg273 = msg("XBAR_PWRDN", part225); + + var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), + ])); + + var msg274 = msg("XBAR_OK", part226); + + var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), + ])); + + var msg275 = msg("VPC_ISSU_START", part227); + + var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), + ])); + + var msg276 = msg("VPC_ISSU_END", part228); + + var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), + ])); + + var msg277 = msg("PORT_RANGE_ROLE", part229); + + var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), + ])); + + var msg278 = msg("PORT_RANGE_STATE", part230); + + var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), + ])); + + var msg279 = msg("PORT_RANGE_DELETED", part231); + + var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup29, + dup34, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), + ])); + + var msg280 = msg("PORT_RANGE_ADDED", part232); + + var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), + ])); + + var msg281 = msg("MST_PORT_BOUNDARY", part233); + + var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), + ])); + + var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + + var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), + ])); + + var msg283 = msg("IM_INTF_STATE", part235); + + var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup62, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), + ])); + + var msg284 = msg("VDC_STATE_CHANGE", part236); + + var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup81, + ])); + + var msg285 = msg("SWITCHOVER_OVER", part237); + + var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup62, + dup16, + dup38, + dup2, + dup3, + dup4, + dup81, + setc("obj_type"," New Module type"), + ])); + + var msg286 = msg("VDC_MODULETYPE", part238); + + var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup77, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), + ])); + + var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + + var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), + ])); + + var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + + var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), + ])); + + var msg289 = msg("MODULE_LOCK_FAILED", part241); + + var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), + ])); + + var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + + var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup29, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), + ])); + + var msg291 = msg("SERVER_ADDED", part243); + + var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup24, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), + ])); + + var msg292 = msg("SERVER_REMOVED", part244); + + var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + + var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), + ])); + + var msg294 = msg("PORT_INDIVIDUAL", part246); + + var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + + var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), + ])); + + var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + + var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), + ])); + + var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + + var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), + ])); + + var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + + var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), + ])); + + var msg299 = msg("READCONF_STARTED", part251); + + var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), + ])); + + var msg300 = msg("SUP_POWERDOWN", part252); + + var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), + ])); + + var msg301 = msg("LC_UPGRADE_START", part253); + + var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), + ])); + + var msg302 = msg("LC_UPGRADE_REBOOT", part254); + + var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), + ])); + + var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + + var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), + ])); + + var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + + var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), + ])); + + var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + + var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), + ])); + + var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + + var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup63, + dup34, + dup78, + dup35, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), + ])); + + var msg307 = msg("FIPS_POST_INFO_MSG", part259); + + var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup74, + ])); + + var msg308 = msg("PEER_VPC_CFGD", part260); + + var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), + ])); + + var msg309 = msg("SYN_COLL_DIS_EN", part261); + + var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), + ])); + + var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + + var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), + ])); + + var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + + var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), + ])); + + var msg312 = msg("FEX_STATUS_online", part264); + + var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), + ])); + + var msg313 = msg("FEX_STATUS_offline", part265); + + var select40 = linear_select([ + msg312, + msg313, + ]); + + var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup73, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), + ])); + + var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + + var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), + ])); + + var msg315 = msg("PS_RED_MODE_RESTORED", part267); + + var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), + ])); + + var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + + var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), + ])); + + var msg317 = msg("PINNING_CHANGED", part269); + + var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), + ])); + + var msg318 = msg("SATCTRL", part270); + + var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), + ])); + + var msg319 = msg("DUP_REGISTER", part271); + + var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), + ])); + + var msg320 = msg("UNKNOWN_MTYPE", part272); + + var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + ])); + + var msg321 = msg("SATCTRL_IMAGE", part273); + + var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, + ])); + + var msg322 = msg("API_FAILED", part274); + + var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg323 = msg("SENSOR_MSG1", part275); + + var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg324 = msg("API_INIT_SEM_CLEAR", part276); + + var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), + ])); + + var msg325 = msg("VDC_ONLINE", part277); + + var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), + ])); + + var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + + var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg327 = msg("dstats", part279); + + var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup77, + dup34, + setc("ec_activity","Logoff"), + dup35, + dup2, + dup3, + dup4, + ])); + + var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + + var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup77, + dup34, + dup13, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + + var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); + + var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg331 = msg("ZS_MERGE_FAILED", part282); + + var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); + + var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup23, + dup34, + dup35, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), + ])); + + var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + + var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg334 = msg("zone", part284); + + var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg335 = msg("ERROR", part285); + + var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg336 = msg("INVAL_IP", part286); + + var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + + var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg338 = msg("DUPLEX_MISMATCH", part288); + + var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg339 = msg("NOHMS_DIAG_ERROR", part289); + + var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup34, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + + var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg341 = msg("UDLD_PORT_DISABLED", part291); + + var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg342 = msg("ntpd", part292); + + var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg343 = msg("ntpd:01", part293); + + var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg344 = msg("ntpd:02", part294); + + var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg345 = msg("ntpd:03", part295); + + var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg346 = msg("ntpd:04", part296); + + var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg347 = msg("PFM_ALERT", part297); + + var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), + ])); + + var msg348 = msg("SERVICEFOUND", part298); + + var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), + ])); + + var msg349 = msg("ROUTERFOUND", part299); + + var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), + ])); + + var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + + var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), + ])); + + var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + + var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + ])); + + var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + + var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), + ])); + + var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + + var select42 = linear_select([ + msg352, + msg353, + ]); + + var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + + var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + + var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + + var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), + ])); + + var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + + var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), + ])); + + var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + + var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), + ])); + + var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + + var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), + ])); + + var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + + var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + ])); + + var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + + var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + ]); + + var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup30, + dup2, + dup4, + setc("ec_activity","Disable"), + ])); + + var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + + var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup30, + dup2, + dup4, + dup37, + ])); + + var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + + var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg364 = msg("PS_ABSENT", part314); + + var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg365 = msg("PS_DETECT", part315); + + var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg366 = msg("SUBPROC_TERMINATED", part316); + + var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup17, + ])); + + var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + + var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup30, + dup2, + dup4, + ])); + + var msg368 = msg("UPDOWN", part318); + + var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup4, + setc("change_attribute","Interface"), + ])); + + var msg369 = msg("L2FM_MAC_MOVE2", part319); + + var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + + var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg371 = msg("PS_RED_MODE_CHG", part321); + + var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg372 = msg("INVAL_MAC", part322); + + var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), + ])); + + var msg373 = msg("SRVSTATE_CHANGED", part323); + + var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg374 = msg("INFO", part324); + + var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup76, + dup17, + ])); + + var msg375 = msg("SERVICE_STARTED", part325); + + var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + + var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg377 = msg("DUP_SRCIP_PROBE", part327); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), + ]); + + var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); + + var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + + var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + + var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + + var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + + var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + + var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + + var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + + var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + + var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + + var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + + var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + + var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + + var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + + var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + + var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + + var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + + var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + + var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + + var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + + var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + + var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var select44 = linear_select([ + dup26, + dup27, + ]); + + var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var select45 = linear_select([ + dup46, + dup47, + ]); + + var select46 = linear_select([ + dup49, + dup50, + ]); + + var select47 = linear_select([ + dup54, + dup55, + ]); + + var select48 = linear_select([ + dup57, + dup58, + ]); + + var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select49 = linear_select([ + dup65, + dup66, + ]); + + var select50 = linear_select([ + dup67, + dup68, + ]); + + var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select51 = linear_select([ + dup70, + dup71, + ]); + + var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..64f17de3e0 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,7176 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cisco" + product: "Nexus" + type: "Switches" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} Hit-count = %{dclass_counter1}"); + + var dup60 = setc("dclass_counter1_string","Hit Count"); + + var dup61 = setc("eventcategory","1603100000"); + + var dup62 = setc("eventcategory","1701020000"); + + var dup63 = setc("eventcategory","1801000000"); + + var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var dup72 = setc("ec_outcome","Error"); + + var dup73 = setc("eventcategory","1703000000"); + + var dup74 = setc("obj_type","vPC"); + + var dup75 = setc("ec_subject","OS"); + + var dup76 = setc("ec_activity","Start"); + + var dup77 = setc("eventcategory","1801010000"); + + var dup78 = setc("ec_activity","Receive"); + + var dup79 = setc("ec_activity","Send"); + + var dup80 = setc("ec_activity","Create"); + + var dup81 = setc("event_description","Switchover completed."); + + var dup82 = setc("event_description","Invalid user"); + + var dup83 = setc("eventcategory","1401000000"); + + var dup84 = setc("ec_subject","Service"); + + var dup85 = setc("event_description","Duplicate address Detected."); + + var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup92 = linear_select([ + dup26, + dup27, + ]); + + var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var dup98 = linear_select([ + dup46, + dup47, + ]); + + var dup99 = linear_select([ + dup49, + dup50, + ]); + + var dup100 = linear_select([ + dup54, + dup55, + ]); + + var dup101 = linear_select([ + dup57, + dup58, + ]); + + var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup103 = linear_select([ + dup65, + dup66, + ]); + + var dup104 = linear_select([ + dup67, + dup68, + ]); + + var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var dup107 = linear_select([ + dup70, + dup71, + ]); + + var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var hdr1 = match("HEADER#0:0001", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0007", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{hfld18}: %%{hfld19}-%{hfld20}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0007"), + ])); + + var hdr3 = match("HEADER#2:0005", "message", "%{hfld4->} %{hfld5->} %{hfld6->} %{hfld7->} : %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0005"), + ])); + + var hdr4 = match("HEADER#3:0002", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var hdr5 = match("HEADER#4:0012", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0012"), + ])); + + var hdr6 = match("HEADER#5:0008", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %%{hfld19}-%{severity}-%{messageid}:%{payload}", processor_chain([ + setc("header_id","0008"), + ])); + + var hdr7 = match("HEADER#6:0011", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}[%{hfld18}]:%{payload}", processor_chain([ + setc("header_id","0011"), + ])); + + var hdr8 = match("HEADER#7:0003", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0003"), + ])); + + var hdr9 = match("HEADER#8:0004", "message", ": %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), + ])); + + var hdr10 = match("HEADER#9:0009", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0009"), + ])); + + var hdr11 = match("HEADER#10:0013", "message", "%{fld13}: %{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0013"), + ])); + + var hdr12 = match("HEADER#11:0010", "message", "%{hfld14->} %{hfld15->} %{hfld16->} %{hfld17->} %{timezone}: %{messageid->} %{payload}", processor_chain([ + setc("header_id","0010"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + ]); + + var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); + + var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg2 = msg("SYSTEM_MSG", part1); + + var part2 = match("MESSAGE#2:SYSTEM_MSG:12", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup6, + ])); + + var msg3 = msg("SYSTEM_MSG:12", part2); + + var part3 = match("MESSAGE#3:SYSTEM_MSG:01", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg4 = msg("SYSTEM_MSG:01", part3); + + var part4 = match("MESSAGE#4:SYSTEM_MSG:11", "nwparser.payload", "error: PAM: Authentication failure for %{username->} from %{shost}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg5 = msg("SYSTEM_MSG:11", part4); + + var part5 = match("MESSAGE#5:SYSTEM_MSG:19/0", "nwparser.payload", "error: maximum authentication attempts exceeded for %{p0}"); + + var part6 = match("MESSAGE#5:SYSTEM_MSG:19/1_0", "nwparser.p0", "invalid user %{username->} from %{p0}"); + + var part7 = match("MESSAGE#5:SYSTEM_MSG:19/1_1", "nwparser.p0", "%{username->} from %{p0}"); + + var select2 = linear_select([ + part6, + part7, + ]); + + var part8 = match("MESSAGE#5:SYSTEM_MSG:19/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol->} - %{agent}[%{process_id}]"); + + var all1 = all_match({ + processors: [ + part5, + select2, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + ]), + }); + + var msg6 = msg("SYSTEM_MSG:19", all1); + + var part9 = match("MESSAGE#6:SYSTEM_MSG:02", "nwparser.payload", "error:%{result}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg7 = msg("SYSTEM_MSG:02", part9); + + var part10 = match("MESSAGE#7:SYSTEM_MSG:03/0_0", "nwparser.payload", "(pam_unix)%{p0}"); + + var part11 = match("MESSAGE#7:SYSTEM_MSG:03/0_1", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}):%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#7:SYSTEM_MSG:03/1", "nwparser.p0", "%{}authentication failure; logname=%{fld20->} uid=%{fld21->} euid=%{fld22->} tty=%{terminal->} ruser=%{fld24->} rhost=%{p0}"); + + var part13 = match("MESSAGE#7:SYSTEM_MSG:03/2_0", "nwparser.p0", "%{fld25->} user=%{username->} - %{p0}"); + + var part14 = match("MESSAGE#7:SYSTEM_MSG:03/2_1", "nwparser.p0", "%{fld25->} - %{p0}"); + + var select4 = linear_select([ + part13, + part14, + ]); + + var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); + + var all2 = all_match({ + processors: [ + select3, + part12, + select4, + part15, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg8 = msg("SYSTEM_MSG:03", all2); + + var part16 = match("MESSAGE#8:SYSTEM_MSG:04", "nwparser.payload", "(pam_unix) %{event_description}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg9 = msg("SYSTEM_MSG:04", part16); + + var part17 = match("MESSAGE#9:SYSTEM_MSG:05/0", "nwparser.payload", "pam_aaa:Authentication failed f%{p0}"); + + var part18 = match("MESSAGE#9:SYSTEM_MSG:05/1_0", "nwparser.p0", "or user %{username->} from%{p0}"); + + var part19 = match("MESSAGE#9:SYSTEM_MSG:05/1_1", "nwparser.p0", "rom%{p0}"); + + var select5 = linear_select([ + part18, + part19, + ]); + + var part20 = match("MESSAGE#9:SYSTEM_MSG:05/2", "nwparser.p0", "%{} %{saddr->} - %{agent}[%{process_id}]"); + + var all3 = all_match({ + processors: [ + part17, + select5, + part20, + ], + on_success: processor_chain([ + dup5, + dup2, + dup3, + dup4, + ]), + }); + + var msg10 = msg("SYSTEM_MSG:05", all3); + + var part21 = match("MESSAGE#10:SYSTEM_MSG:06", "nwparser.payload", "FAILED LOGIN (%{fld20}) on %{fld21->} FOR %{username}, Authentication failure - login[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg11 = msg("SYSTEM_MSG:06", part21); + + var part22 = match("MESSAGE#11:SYSTEM_MSG:07", "nwparser.payload", "fatal:%{event_description}", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg12 = msg("SYSTEM_MSG:07", part22); + + var part23 = match("MESSAGE#12:SYSTEM_MSG:09", "nwparser.payload", "%{fld1}: Host name is set %{hostname->} - kernel", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg13 = msg("SYSTEM_MSG:09", part23); + + var part24 = match("MESSAGE#13:SYSTEM_MSG:10", "nwparser.payload", "Unauthorized access by NFS client %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg14 = msg("SYSTEM_MSG:10", part24); + + var part25 = match("MESSAGE#14:SYSTEM_MSG:13", "nwparser.payload", "%{fld43->} : SNMP UDP authentication failed for %{saddr}.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg15 = msg("SYSTEM_MSG:13", part25); + + var part26 = match("MESSAGE#15:SYSTEM_MSG:14", "nwparser.payload", "%{fld43->} : Subsequent authentication success for user (%{username}) failed.", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg16 = msg("SYSTEM_MSG:14", part26); + + var part27 = match("MESSAGE#16:SYSTEM_MSG:15", "nwparser.payload", "%{fld1->} : TTY=%{terminal->} ; PWD=%{directory->} ; USER=%{username->} ; COMMAND=%{param}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup11, + dup12, + ])); + + var msg17 = msg("SYSTEM_MSG:15", part27); + + var part28 = match("MESSAGE#17:SYSTEM_MSG:16", "nwparser.payload", "Login failed for user %{username->} - %{agent}[%{process_id}]", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup11, + dup13, + dup12, + dup14, + ])); + + var msg18 = msg("SYSTEM_MSG:16", part28); + + var part29 = match("MESSAGE#18:SYSTEM_MSG:17/0", "nwparser.payload", "NTP: Peer %{hostip->} %{p0}"); + + var part30 = match("MESSAGE#18:SYSTEM_MSG:17/1_0", "nwparser.p0", "with stratum %{fld1->} selected - %{p0}"); + + var part31 = match("MESSAGE#18:SYSTEM_MSG:17/1_1", "nwparser.p0", "is %{disposition->} - %{p0}"); + + var select6 = linear_select([ + part30, + part31, + ]); + + var part32 = match("MESSAGE#18:SYSTEM_MSG:17/2", "nwparser.p0", "%{agent}[%{process_id}]"); + + var all4 = all_match({ + processors: [ + part29, + select6, + part32, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg19 = msg("SYSTEM_MSG:17", all4); + + var part33 = match("MESSAGE#19:SYSTEM_MSG:20", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg20 = msg("SYSTEM_MSG:20", part33); + + var part34 = match("MESSAGE#20:SYSTEM_MSG:21", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): password changed for %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + setc("ec_subject","Password"), + dup16, + dup12, + dup17, + ])); + + var msg21 = msg("SYSTEM_MSG:21", part34); + + var part35 = match("MESSAGE#21:SYSTEM_MSG:22", "nwparser.payload", "pam_unix(%{fld1}:%{fld2}): check pass; user %{username->} - %{agent}", processor_chain([ + dup10, + dup2, + dup3, + dup4, + dup12, + ])); + + var msg22 = msg("SYSTEM_MSG:22", part35); + + var part36 = match("MESSAGE#22:SYSTEM_MSG:23", "nwparser.payload", "new user: name=%{username}, uid=%{uid}, gid=%{fld1}, home=%{directory}, shell=%{fld2->} - %{agent}[%{process_id}]", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + ])); + + var msg23 = msg("SYSTEM_MSG:23", part36); + + var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); + + var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); + + var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); + + var all5 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup20, + dup17, + ]), + }); + + var msg24 = msg("SYSTEM_MSG:24", all5); + + var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); + + var select8 = linear_select([ + part41, + dup21, + ]); + + var all6 = all_match({ + processors: [ + select8, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg25 = msg("SYSTEM_MSG:08", all6); + + var select9 = linear_select([ + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + ]); + + var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1->} hostname changed to %{hostname}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); + + var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("action","activated"), + setc("event_description","Policy is activated by profile"), + ])); + + var msg27 = msg("POLICY_ACTIVATE_EVENT", part43); + + var part44 = match("MESSAGE#27:POLICY_COMMIT_EVENT", "nwparser.payload", "Commit operation %{disposition}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg28 = msg("POLICY_COMMIT_EVENT", part44); + + var part45 = match("MESSAGE#28:POLICY_DEACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is de-activated by last referring profile %{username}", processor_chain([ + setc("eventcategory","1701070000"), + dup2, + dup3, + dup4, + setc("action","de-activated"), + setc("event_description","Policy is de-activated by last referring profile"), + ])); + + var msg29 = msg("POLICY_DEACTIVATE_EVENT", part45); + + var part46 = match("MESSAGE#29:POLICY_LOOKUP_EVENT:01", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2->} dst.zone.name=%{dst_zone->} src.zone.name=%{src_zone}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg30 = msg("POLICY_LOOKUP_EVENT:01", part46); + + var part47 = match("MESSAGE#30:POLICY_LOOKUP_EVENT", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} src.net.ip-address=%{saddr->} src.net.port=%{sport->} dst.net.ip-address=%{daddr->} dst.net.port=%{dport->} net.protocol=%{protocol->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg31 = msg("POLICY_LOOKUP_EVENT", part47); + + var part48 = match("MESSAGE#31:POLICY_LOOKUP_EVENT:02", "nwparser.payload", "policy=%{policyname->} rule=%{rulename->} action=%{action->} direction=%{direction->} net.ethertype=%{fld2}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg32 = msg("POLICY_LOOKUP_EVENT:02", part48); + + var select10 = linear_select([ + msg30, + msg31, + msg32, + ]); + + var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); + + var msg34 = msg("MTSERROR", dup86); + + var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); + + var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); + + var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); + + var select11 = linear_select([ + msg36, + msg37, + ]); + + var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); + + var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); + + var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); + + var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); + + var select12 = linear_select([ + msg40, + msg41, + ]); + + var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); + + var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); + + var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface duplex mode changed"), + ])); + + var msg44 = msg("IF_DUPLEX", part51); + + var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Receive Flow Cont%{p0}"); + + var all7 = all_match({ + processors: [ + part52, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Receive Flow Control state changed"), + ]), + }); + + var msg45 = msg("IF_RX_FLOW_CONTROL", all7); + + var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg46 = msg("IF_SEQ_ERROR", part53); + + var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Interface %{interface}, operational Transmit Flow Cont%{p0}"); + + var all8 = all_match({ + processors: [ + part54, + dup92, + dup28, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational Transmit Flow Control state changed"), + ]), + }); + + var msg47 = msg("IF_TX_FLOW_CONTROL", all8); + + var part55 = match("MESSAGE#47:IF_UP", "nwparser.payload", "%{fld43->} Interface %{sinterface->} is up in mode %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up in mode"), + ])); + + var msg48 = msg("IF_UP", part55); + + var part56 = match("MESSAGE#48:IF_UP:01", "nwparser.payload", "Interface %{sinterface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface is up"), + ])); + + var msg49 = msg("IF_UP:01", part56); + + var select13 = linear_select([ + msg48, + msg49, + ]); + + var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interface}, operational speed changed to %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Interface operational speed changed"), + ])); + + var msg50 = msg("SPEED", part57); + + var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg51 = msg("CREATED", part58); + + var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg52 = msg("FOP_CHANGED", part59); + + var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg53 = msg("PORT_DOWN", part60); + + var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: %{interface->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg54 = msg("PORT_UP", part61); + + var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); + + var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); + + var msg57 = msg("MTS_DROP", dup87); + + var msg58 = msg("SYSLOG_LOG_WARNING", dup87); + + var msg59 = msg("IM_SEQ_ERROR", dup93); + + var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); + + var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); + + var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); + + var msg63 = msg("IMG_DNLD_COMPLETE", dup87); + + var msg64 = msg("IMG_DNLD_STARTED", dup87); + + var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); + + var msg66 = msg("MSM_CRIT", dup93); + + var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup7, + ])); + + var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); + + var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); + + var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg69 = msg("MOD_FAIL", part66); + + var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg70 = msg("MOD_MAJORSWFAIL", part67); + + var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) firmware is not compatible with supervisor, downloading new image", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); + + var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg72 = msg("MOD_WARNING:01", part69); + + var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg73 = msg("MOD_WARNING", part70); + + var select14 = linear_select([ + msg72, + msg73, + ]); + + var part71 = match("MESSAGE#73:ACTIVE_SUP_OK", "nwparser.payload", "Supervisor %{fld20->} is active (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg74 = msg("ACTIVE_SUP_OK", part71); + + var part72 = match("MESSAGE#74:MOD_OK", "nwparser.payload", "Module %{fld20->} is online (serial: %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg75 = msg("MOD_OK", part72); + + var part73 = match("MESSAGE#75:MOD_RESTART", "nwparser.payload", "Module %{fld20->} is restarting after image download", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg76 = msg("MOD_RESTART", part73); + + var part74 = match("MESSAGE#76:DISPUTE_CLEARED", "nwparser.payload", "Dispute resolved for port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute resolved for port on VLAN"), + ])); + + var msg77 = msg("DISPUTE_CLEARED", part74); + + var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute detected on port %{portname->} on %{vlan}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","Dispute detected on port on VLAN"), + ])); + + var msg78 = msg("DISPUTE_DETECTED", part75); + + var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); + + var msg80 = msg("CHASSIS_CLKMODOK", dup87); + + var msg81 = msg("CHASSIS_CLKSRC", dup87); + + var msg82 = msg("FAN_OK", dup87); + + var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg83 = msg("MOD_DETECT", part76); + + var part77 = match("MESSAGE#83:MOD_PWRDN", "nwparser.payload", "Module %{fld19->} powered down (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg84 = msg("MOD_PWRDN", part77); + + var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19->} powered up (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg85 = msg("MOD_PWRUP", part78); + + var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg86 = msg("MOD_REMOVE", part79); + + var msg87 = msg("PFM_MODULE_POWER_ON", dup87); + + var msg88 = msg("PFM_SYSTEM_RESET", dup87); + + var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); + + var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); + + var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); + + var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); + + var msg93 = msg("PFM_VEM_UNLICENSED", dup87); + + var msg94 = msg("PS_FANOK", dup87); + + var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg95 = msg("PS_OK", part80); + + var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg96 = msg("MOD_BRINGUP_MULTI_LIMIT", part81); + + var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fld19->} (Serial number %{serial_number}) %{fld20->} detected", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg97 = msg("FAN_DETECT", part82); + + var msg98 = msg("MOD_STATUS", dup87); + + var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC configured vlans changed"), + ])); + + var msg99 = msg("PEER_VPC_CFGD_VLANS_CHANGED", part83); + + var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC %{obj_name->} deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg100 = msg("PEER_VPC_DELETED", part84); + + var msg101 = msg("PFM_VEM_DETECTED", dup87); + + var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg102 = msg("PS_FOUND", part85); + + var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); + + var select15 = linear_select([ + part86, + dup21, + ]); + + var all9 = all_match({ + processors: [ + select15, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg103 = msg("PS_STATUS", all9); + + var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Power supply %{fld1->} changed its capacity. possibly due to On/Off or power cable removal/insertion (Serial number %{serial_number})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); + + var msg105 = msg("PS_CAPACITY_CHANGE", dup87); + + var select16 = linear_select([ + msg104, + msg105, + ]); + + var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); + + var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); + + var select17 = linear_select([ + msg106, + msg107, + ]); + + var msg108 = msg("IF_DOWN_INITIALIZING", dup90); + + var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); + + var select18 = linear_select([ + msg108, + msg109, + ]); + + var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg110 = msg("IF_DOWN_NONE", part88); + + var msg111 = msg("IF_DOWN_NONE:01", dup96); + + var select19 = linear_select([ + msg110, + msg111, + ]); + + var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); + + var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); + + var select20 = linear_select([ + msg112, + msg113, + ]); + + var msg114 = msg("IF_DOWN_OFFLINE", dup88); + + var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); + + var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup31, + dup2, + dup3, + dup4, + ])); + + var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); + + var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); + + var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg118 = msg("IF_TRUNK_DOWN", part90); + + var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg119 = msg("IF_TRUNK_DOWN:01", part91); + + var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg120 = msg("IF_TRUNK_DOWN:02", part92); + + var select21 = linear_select([ + msg118, + msg119, + msg120, + ]); + + var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg121 = msg("IF_TRUNK_UP", part93); + + var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg122 = msg("IF_TRUNK_UP:01", part94); + + var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg123 = msg("IF_TRUNK_UP:02", part95); + + var select22 = linear_select([ + msg121, + msg122, + msg123, + ]); + + var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); + + var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); + + var msg126 = msg("STANDBY_SUP_OK", dup87); + + var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Loops detected in the network among ports"), + ])); + + var msg127 = msg("STM_LOOP_DETECT", part97); + + var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync completed.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg128 = msg("SYNC_COMPLETE", part98); + + var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); + + var msg130 = msg("MESG", dup87); + + var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var msg131 = msg("ERR_MSG", part99); + + var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); + + var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg133 = msg("CFGWRITE_ABORTED_LOCK", part100); + + var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configuration copy failed (error-id %{resultcode}).", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg134 = msg("CFGWRITE_FAILED", part101); + + var msg135 = msg("CFGWRITE_ABORTED", dup87); + + var msg136 = msg("CFGWRITE_DONE", dup87); + + var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); + + var select23 = linear_select([ + part102, + dup21, + ]); + + var all10 = all_match({ + processors: [ + select23, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg137 = msg("CFGWRITE_STARTED", all10); + + var msg138 = msg("IF_ATTACHED", dup87); + + var msg139 = msg("IF_DELETE_AUTO", dup94); + + var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg140 = msg("IF_DETACHED", part103); + + var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); + + var msg142 = msg("IF_DOWN_INACTIVE", dup88); + + var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); + + var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); + + var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, + dup2, + dup3, + dup4, + ])); + + var msg145 = msg("CONN_CONNECT", part105); + + var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ + setc("eventcategory","1801030000"), + dup2, + dup3, + dup4, + ])); + + var msg146 = msg("CONN_DISCONNECT", part106); + + var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg147 = msg("DVPG_CREATE", part107); + + var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg148 = msg("DVPG_DELETE", part108); + + var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); + + var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg150 = msg("DVS_NAME_CHANGE", part109); + + var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); + + var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg152 = msg("VPC_DELETED", part110); + + var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","VPC is up"), + ])); + + var msg153 = msg("VPC_UP", part111); + + var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); + + var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); + + var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); + + var select24 = linear_select([ + part113, + part114, + ]); + + var all11 = all_match({ + processors: [ + part112, + select24, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); + + var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); + + var select25 = linear_select([ + msg154, + msg155, + ]); + + var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); + + var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); + + var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","program start"), + ])); + + var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); + + var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); + + var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); + + var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); + + var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + ])); + + var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); + + var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); + + var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); + + var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); + + var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); + + var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); + + var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); + + var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); + + var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); + + var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup41, + ])); + + var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); + + var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); + + var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var select26 = linear_select([ + part132, + part133, + ]); + + var all12 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); + + var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); + + var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); + + var select27 = linear_select([ + part134, + part135, + ]); + + var all13 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + dup44, + ]), + }); + + var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); + + var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); + + var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Added user"), + dup44, + ])); + + var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); + + var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup11, + dup17, + setc("event_description","Deleted user"), + dup44, + ])); + + var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); + + var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); + + var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); + + var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); + + var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); + + var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); + + var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); + + var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","shell terminated"), + ])); + + var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); + + var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); + + var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); + + var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); + + var select28 = linear_select([ + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + ]); + + var all14 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Log Flow Interval"), + dup60, + ]), + }); + + var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); + + var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); + + var all15 = all_match({ + processors: [ + dup45, + dup98, + dup48, + dup99, + dup51, + dup98, + dup52, + dup99, + dup53, + dup100, + dup56, + dup101, + dup59, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","ACL Lof New Flow"), + dup60, + ]), + }); + + var msg189 = msg("ACLLOG_NEW_FLOW", all15); + + var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), + ])); + + var msg190 = msg("DUP_VADDR_SRC_IP", part150); + + var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); + + var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); + + var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); + + var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg194 = msg("PFM_CLOCK_CHANGE", part154); + + var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); + + var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg196 = msg("snmpd", part156); + + var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg197 = msg("snmpd:01", part157); + + var select29 = linear_select([ + msg196, + msg197, + ]); + + var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg198 = msg("CFGWRITE_USER_ABORT", part158); + + var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); + + var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","last message repeated number of times."), + setc("dclass_counter1_string","Number of times repeated"), + ])); + + var msg200 = msg("last", part159); + + var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, + dup2, + dup3, + dup4, + ])); + + var msg201 = msg("SERVICE_CRASHED", part160); + + var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service lost on WCCP Client"), + ])); + + var msg202 = msg("SERVICELOST", part161); + + var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); + + var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); + + var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); + + var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); + + var select30 = linear_select([ + part164, + part165, + ]); + + var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); + + var all16 = all_match({ + processors: [ + part163, + select30, + part166, + ], + on_success: processor_chain([ + dup23, + dup2, + dup3, + dup4, + ]), + }); + + var msg204 = msg("PS_FAIL", all16); + + var msg205 = msg("INFORMATION", dup87); + + var msg206 = msg("EVENT", dup87); + + var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); + + var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg208 = msg("NEIGHBOR_ADDED", part168); + + var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg209 = msg("NEIGHBOR_REMOVED", part169); + + var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); + + var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); + + var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); + + var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg213 = msg("PORT_SUSPENDED", part173); + + var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","status"), + ])); + + var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); + + var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); + + var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); + + var msg217 = msg("ADJCHANGE", dup87); + + var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, + dup2, + dup3, + dup4, + ])); + + var msg218 = msg("PORT_ADDED", part175); + + var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var msg219 = msg("PORT_DELETED", part176); + + var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + ])); + + var msg220 = msg("PORT_ROLE", part177); + + var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("change_attribute","Port state"), + ])); + + var msg221 = msg("PORT_STATE", part178); + + var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); + + var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, + dup38, + dup17, + dup2, + dup3, + dup4, + dup39, + dup40, + ])); + + var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); + + var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); + + var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); + + var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); + + var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); + + var select31 = linear_select([ + part183, + part184, + ]); + + var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); + + var all17 = all_match({ + processors: [ + part182, + select31, + part185, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); + + var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); + + var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","Performing configuration copy"), + ])); + + var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); + + var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); + + var all18 = all_match({ + processors: [ + dup64, + dup103, + part188, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + setc("event_description","shell terminated because of session timeout"), + ]), + }); + + var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); + + var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); + + var all19 = all_match({ + processors: [ + dup64, + dup103, + part189, + dup104, + ], + on_success: processor_chain([ + dup63, + dup2, + dup4, + ]), + }); + + var msg229 = msg("TACACS_ACCOUNTING_MESSAGE:07", all19); + + var select32 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + ]); + + var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); + + var msg231 = msg("IF_SFP_WARNING", dup105); + + var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); + + var msg233 = msg("FCIP_PEER_CAVIUM", dup87); + + var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); + + var msg235 = msg("IF_DOWN_PEER_RESET", dup106); + + var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","configuration is not consistent in domain"), + ])); + + var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); + + var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","configuration is consistent in domain"), + ])); + + var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); + + var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); + + var msg239 = msg("IF_HARDWARE", dup105); + + var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ + setc("eventcategory","1604010000"), + dup2, + dup3, + dup4, + ])); + + var msg240 = msg("HEARTBEAT_FAILURE", part192); + + var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); + + var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); + + var msg243 = msg("MOUNT", dup87); + + var msg244 = msg("LOG_CMP_UP", dup87); + + var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); + + var all20 = all_match({ + processors: [ + dup69, + dup107, + part193, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg245 = msg("IF_XCVR_WARNING", all20); + + var msg246 = msg("IF_XCVR_WARNING:01", dup108); + + var select33 = linear_select([ + msg245, + msg246, + ]); + + var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); + + var all21 = all_match({ + processors: [ + dup69, + dup107, + part194, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg247 = msg("IF_XCVR_ALARM", all21); + + var msg248 = msg("IF_XCVR_ALARM:01", dup108); + + var select34 = linear_select([ + msg247, + msg248, + ]); + + var msg249 = msg("MEMORY_ALERT", dup87); + + var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); + + var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); + + var all22 = all_match({ + processors: [ + dup69, + dup107, + part195, + ], + on_success: processor_chain([ + dup15, + dup2, + dup3, + dup4, + ]), + }); + + var msg251 = msg("IF_SFP_ALARM", all22); + + var msg252 = msg("IF_SFP_ALARM:01", dup108); + + var select35 = linear_select([ + msg251, + msg252, + ]); + + var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + + var msg253 = msg("NBRCHANGE_DUAL", part196); + + var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); + + var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + + var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); + + var select36 = linear_select([ + part198, + part199, + ]); + + var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); + + var all23 = all_match({ + processors: [ + part197, + select36, + part200, + ], + on_success: processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","System minor alarm on fans in fan tray"), + ]), + }); + + var msg254 = msg("SOHMS_DIAG_ERROR", all23); + + var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","FEX-System minor alarm on power supply."), + ])); + + var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); + + var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ + dup61, + dup38, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg256 = msg("SOHMS_DIAG_ERROR:02", part202); + + var select37 = linear_select([ + msg254, + msg255, + msg256, + ]); + + var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Failed to program the mac table"), + ])); + + var msg257 = msg("M2FIB_MAC_TBL_PRGMING", part203); + + var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", "deleting expired user account:%{username}", processor_chain([ + dup19, + dup11, + dup20, + setc("ec_theme","UserGroup"), + dup2, + dup3, + dup4, + setc("event_description","deleting expired user account"), + ])); + + var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); + + var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","Interface is admin up."), + ])); + + var msg259 = msg("IF_ADMIN_UP", part205); + + var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","vPC is configured"), + dup74, + ])); + + var msg260 = msg("VPC_CFGD", part206); + + var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ + dup30, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","System Manager has received notification of local module becoming online."), + ])); + + var msg261 = msg("MODULE_ONLINE", part207); + + var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ + dup30, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","System booted from Primary BIOS Flash"), + ])); + + var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); + + var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ + dup77, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC is down"), + dup74, + ])); + + var msg263 = msg("PEER_VPC_DOWN", part209); + + var part210 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/0", "nwparser.payload", "In domain %{domain}, %{p0}"); + + var part211 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_0", "nwparser.p0", "VPC%{p0}"); + + var part212 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/1_1", "nwparser.p0", "vPC%{p0}"); + + var select38 = linear_select([ + part211, + part212, + ]); + + var part213 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/2", "nwparser.p0", "%{}peer%{p0}"); + + var part214 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_0", "nwparser.p0", "-keepalive%{p0}"); + + var part215 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/3_1", "nwparser.p0", " keep-alive%{p0}"); + + var select39 = linear_select([ + part214, + part215, + ]); + + var part216 = match("MESSAGE#257:PEER_KEEP_ALIVE_RECV_INT_LATEST/4", "nwparser.p0", "%{}received on interface %{interface}"); + + var all24 = all_match({ + processors: [ + part210, + select38, + part213, + select39, + part216, + ], + on_success: processor_chain([ + dup36, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive received on interface"), + ]), + }); + + var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); + + var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ + dup36, + dup34, + dup78, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive receive is successful"), + ])); + + var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); + + var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer keep-alive receive has failed"), + ])); + + var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); + + var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup2, + dup3, + dup4, + setc("event_description","In domain, VPC peer-keepalive sent on interface"), + ])); + + var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); + + var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ + dup36, + dup34, + dup79, + dup35, + dup17, + dup2, + dup3, + dup4, + setc("event_description","In domain, vPC peer keep-alive send is successful"), + ])); + + var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); + + var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ + dup30, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Peer keep-alive status changed."), + setc("change_attribute","peer keep-alive status"), + ])); + + var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); + + var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Ejectors' status in slot has changed."), + ])); + + var msg270 = msg("EJECTOR_STAT_CHANGED", part222); + + var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ + dup29, + setc("ec_activity","Detect"), + dup38, + dup2, + dup3, + dup4, + setc("event_description","Xbar detected"), + ])); + + var msg271 = msg("XBAR_DETECT", part223); + + var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + dup76, + dup2, + dup3, + dup4, + setc("event_description","Xbar powered up"), + ])); + + var msg272 = msg("XBAR_PWRUP", part224); + + var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ + dup15, + dup75, + setc("ec_activity","Stop"), + dup2, + dup3, + dup4, + setc("event_description","Xbar powered down"), + ])); + + var msg273 = msg("XBAR_PWRDN", part225); + + var part226 = match("MESSAGE#267:XBAR_OK", "nwparser.payload", "Xbar %{fld41->} is online (serial: %{fld42})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Xbar is online"), + ])); + + var msg274 = msg("XBAR_OK", part226); + + var part227 = match("MESSAGE#268:VPC_ISSU_START", "nwparser.payload", "Peer vPC switch ISSU start, locking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU start, locking configuration"), + ])); + + var msg275 = msg("VPC_ISSU_START", part227); + + var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC switch ISSU end, unlocking configuration%{}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + setc("event_description","Peer vPC switch ISSU end, unlocking configuration"), + ])); + + var msg276 = msg("VPC_ISSU_END", part228); + + var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_role"), + ])); + + var msg277 = msg("PORT_RANGE_ROLE", part229); + + var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + setc("obj_type","new_state"), + ])); + + var msg278 = msg("PORT_RANGE_STATE", part230); + + var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface removed from MST."), + ])); + + var msg279 = msg("PORT_RANGE_DELETED", part231); + + var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ + dup29, + dup34, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Interface added to MST."), + ])); + + var msg280 = msg("PORT_RANGE_ADDED", part232); + + var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ + dup24, + dup34, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Port removed as MST Boundary port"), + ])); + + var msg281 = msg("MST_PORT_BOUNDARY", part233); + + var part234 = match("MESSAGE#275:PIXM_SYSLOG_MESSAGE_TYPE_CRIT", "nwparser.payload", "Non-transactional PIXM Error. Error Type: %{result}.%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Non-transactional PIXM Error"), + ])); + + var msg282 = msg("PIXM_SYSLOG_MESSAGE_TYPE_CRIT", part234); + + var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interface->} is %{obj_name->} in vdc %{fld43}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("obj_type"," Interface state"), + ])); + + var msg283 = msg("IM_INTF_STATE", part235); + + var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ + dup62, + dup34, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","VDC state changed."), + setc("obj_type"," VDC state"), + ])); + + var msg284 = msg("VDC_STATE_CHANGE", part236); + + var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchover completed.%{}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup81, + ])); + + var msg285 = msg("SWITCHOVER_OVER", part237); + + var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ + dup62, + dup16, + dup38, + dup2, + dup3, + dup4, + dup81, + setc("obj_type"," New Module type"), + ])); + + var msg286 = msg("VDC_MODULETYPE", part238); + + var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ + dup77, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Unable to sync HA sequence number for service"), + ])); + + var msg287 = msg("HASEQNO_SYNC_FAILED", part239); + + var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failure in sending message to standby causing standby to reset."), + ])); + + var msg288 = msg("MSG_SEND_FAILURE_STANDBY_RESET", part240); + + var part241 = match("MESSAGE#282:MODULE_LOCK_FAILED", "nwparser.payload", "Failed to lock the local module to avoid reset (error-id %{resultcode}).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Failed to lock the local module to avoid reset"), + ])); + + var msg289 = msg("MODULE_LOCK_FAILED", part241); + + var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ + dup1, + dup34, + dup79, + dup35, + dup14, + dup2, + dup3, + dup4, + setc("event_description","Failed to send Mac New Learns/Mac moves due to mts send failure."), + ])); + + var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); + + var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ + dup29, + dup80, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server discovered on local in vlan 0 with enabled capability Station"), + ])); + + var msg291 = msg("SERVER_ADDED", part243); + + var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ + dup24, + dup20, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Server on local port has been removed"), + ])); + + var msg292 = msg("SERVER_REMOVED", part244); + + var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); + + var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{portname->} is operationally individual", processor_chain([ + dup8, + dup2, + dup3, + dup4, + setc("event_description","port is operationally individual"), + ])); + + var msg294 = msg("PORT_INDIVIDUAL", part246); + + var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ + dup23, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + dup25, + ])); + + var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); + + var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ + dup22, + dup2, + dup3, + dup4, + setc("event_description","Interface is being recovered from error disabled state"), + ])); + + var msg296 = msg("IF_ERRDIS_RECOVERY", part248); + + var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Non-Cisco transceiver on interface is detected"), + ])); + + var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); + + var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Active supervisor is running with less memory than standby supervisor."), + ])); + + var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); + + var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Configuration update started."), + ])); + + var msg299 = msg("READCONF_STARTED", part251); + + var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Supervisor is running with less memory than active supervisor."), + ])); + + var msg300 = msg("SUP_POWERDOWN", part252); + + var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Starting linecard upgrade"), + ])); + + var msg301 = msg("LC_UPGRADE_START", part253); + + var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Rebooting linecard as a part of upgrade"), + ])); + + var msg302 = msg("LC_UPGRADE_REBOOT", part254); + + var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database controller started."), + ])); + + var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); + + var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Runtime database successfully restored."), + ])); + + var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); + + var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module started"), + ])); + + var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); + + var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Upgrade of module ended"), + ])); + + var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); + + var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ + dup63, + dup34, + dup78, + dup35, + dup2, + dup3, + dup4, + setc("event_description","Recieved insert for lc mod"), + ])); + + var msg307 = msg("FIPS_POST_INFO_MSG", part259); + + var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ + dup30, + dup34, + dup38, + dup17, + dup2, + dup3, + dup4, + setc("event_description","peer vPC is configured"), + dup74, + ])); + + var msg308 = msg("PEER_VPC_CFGD", part260); + + var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ + dup73, + dup34, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Potential Interop issue on interface."), + ])); + + var msg309 = msg("SYN_COLL_DIS_EN", part261); + + var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX OFFLINE"), + ])); + + var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); + + var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX ONLINE"), + ])); + + var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); + + var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is online"), + ])); + + var msg312 = msg("FEX_STATUS_online", part264); + + var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","Fex is offline"), + ])); + + var msg313 = msg("FEX_STATUS_offline", part265); + + var select40 = linear_select([ + msg312, + msg313, + ]); + + var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ + dup73, + dup38, + dup72, + dup2, + dup3, + dup4, + setc("event_description","Power supply present but all AC/DC inputs are not connected, power redundancy might be affected"), + ])); + + var msg314 = msg("PS_PWR_INPUT_MISSING", part266); + + var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Power redundancy operational mode changed."), + setc("change_attribute","operational mode"), + ])); + + var msg315 = msg("PS_RED_MODE_RESTORED", part267); + + var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", "All ejectors open, Module %{fld41->} will not be powered up (Serial number %{fld42})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","All ejectors open, Module will not be powered up."), + ])); + + var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); + + var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + setc("event_description","Fex pinning information is changed"), + ])); + + var msg317 = msg("PINNING_CHANGED", part269); + + var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","FEX-100 Module -Cold boot"), + ])); + + var msg318 = msg("SATCTRL", part270); + + var part271 = match("MESSAGE#312:DUP_REGISTER", "nwparser.payload", "%{fld51->} [%{fld52}] Client %{fld43->} register more than once with same pid%{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Client register more than once with same pid"), + ])); + + var msg319 = msg("DUP_REGISTER", part271); + + var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} [%{fld52}] Unknown mtype: %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + setc("event_description","Unknown mtype"), + ])); + + var msg320 = msg("UNKNOWN_MTYPE", part272); + + var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ + dup30, + dup16, + dup38, + dup2, + dup3, + dup4, + ])); + + var msg321 = msg("SATCTRL_IMAGE", part273); + + var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup1, + setc("ec_subject","Process"), + dup14, + dup2, + dup3, + dup4, + ])); + + var msg322 = msg("API_FAILED", part274); + + var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg323 = msg("SENSOR_MSG1", part275); + + var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ + dup30, + dup2, + dup3, + dup4, + ])); + + var msg324 = msg("API_INIT_SEM_CLEAR", part276); + + var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ + dup30, + dup2, + dup3, + dup4, + setc("event_description","vdc has come online"), + ])); + + var msg325 = msg("VDC_ONLINE", part277); + + var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + setc("event_description","LACP port of port-channel not receiving any LACP BPDUs."), + ])); + + var msg326 = msg("LACP_SUSPEND_INDIVIDUAL", part278); + + var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{info}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg327 = msg("dstats", part279); + + var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ + dup77, + dup34, + setc("ec_activity","Logoff"), + dup35, + dup2, + dup3, + dup4, + ])); + + var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); + + var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ + dup77, + dup34, + dup13, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg329 = msg("MSG_PORT_LOGGED_IN", part281); + + var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); + + var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var msg331 = msg("ZS_MERGE_FAILED", part282); + + var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); + + var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ + dup23, + dup34, + dup35, + dup2, + dup3, + dup4, + setc("change_attribute","Port"), + ])); + + var msg333 = msg("MAC_MOVE_NOTIFICATION", part283); + + var part284 = match("MESSAGE#327:zone", "nwparser.payload", "num_tlv greater than 1, %{result}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + ])); + + var msg334 = msg("zone", part284); + + var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ + dup1, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg335 = msg("ERROR", part285); + + var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, + dup78, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg336 = msg("INVAL_IP", part286); + + var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{process}: message repeated %{dclass_counter1->} times in last %{duration}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); + + var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg338 = msg("DUPLEX_MISMATCH", part288); + + var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg339 = msg("NOHMS_DIAG_ERROR", part289); + + var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ + dup15, + dup34, + dup35, + dup2, + dup3, + dup4, + ])); + + var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); + + var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ + dup77, + dup34, + dup35, + dup72, + dup2, + dup3, + dup4, + ])); + + var msg341 = msg("UDLD_PORT_DISABLED", part291); + + var part292 = match("MESSAGE#335:ntpd", "nwparser.payload", "ntp:no servers reachable%{}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg342 = msg("ntpd", part292); + + var part293 = match("MESSAGE#336:ntpd:01", "nwparser.payload", "ntp:event EVNT_UNREACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg343 = msg("ntpd:01", part293); + + var part294 = match("MESSAGE#337:ntpd:02", "nwparser.payload", "ntp:event EVNT_REACH %{saddr}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg344 = msg("ntpd:02", part294); + + var part295 = match("MESSAGE#338:ntpd:03", "nwparser.payload", "ntp:synchronized to %{saddr}, stratum %{fld9}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg345 = msg("ntpd:03", part295); + + var part296 = match("MESSAGE#339:ntpd:04", "nwparser.payload", "ntp:%{event_description}", processor_chain([ + dup15, + dup2, + dup4, + ])); + + var msg346 = msg("ntpd:04", part296); + + var select41 = linear_select([ + msg342, + msg343, + msg344, + msg345, + msg346, + ]); + + var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ + dup9, + dup2, + dup3, + dup4, + ])); + + var msg347 = msg("PFM_ALERT", part297); + + var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Client"), + ])); + + var msg348 = msg("SERVICEFOUND", part298); + + var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + setc("event_description","Service acquired on WCCP Router"), + ])); + + var msg349 = msg("ROUTERFOUND", part299); + + var part300 = match("MESSAGE#343:%AUTHPRIV-3-SYSTEM_MSG", "nwparser.payload", "pam_aaa:Authentication failed from %{shost->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Authentication failed"), + ])); + + var msg350 = msg("%AUTHPRIV-3-SYSTEM_MSG", part300); + + var part301 = match("MESSAGE#344:%AUTHPRIV-5-SYSTEM_MSG", "nwparser.payload", "New user added with username %{username->} - %{agent}", processor_chain([ + dup18, + dup2, + dup12, + dup3, + dup4, + setc("event_description","New user added"), + ])); + + var msg351 = msg("%AUTHPRIV-5-SYSTEM_MSG", part301); + + var part302 = match("MESSAGE#345:%AUTHPRIV-6-SYSTEM_MSG:01", "nwparser.payload", "%{action}: %{service->} pid=%{process_id->} from=::ffff:%{saddr->} - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + ])); + + var msg352 = msg("%AUTHPRIV-6-SYSTEM_MSG:01", part302); + + var part303 = match("MESSAGE#346:%AUTHPRIV-6-SYSTEM_MSG", "nwparser.payload", "pam_unix(%{fld1}:session): session opened for user %{username->} by (uid=%{uid}) - %{agent}", processor_chain([ + dup10, + dup2, + dup12, + dup3, + dup4, + setc("event_description","session opened for user"), + ])); + + var msg353 = msg("%AUTHPRIV-6-SYSTEM_MSG", part303); + + var select42 = linear_select([ + msg352, + msg353, + ]); + + var part304 = match("MESSAGE#347:%USER-3-SYSTEM_MSG", "nwparser.payload", "error: %{result}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + ])); + + var msg354 = msg("%USER-3-SYSTEM_MSG", part304); + + var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Invalid user %{username->} from %{saddr->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg355 = msg("%USER-6-SYSTEM_MSG", part305); + + var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "input_userauth_request: invalid user %{username->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + dup82, + ])); + + var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); + + var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Failed none for invalid user %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup5, + dup2, + dup3, + dup4, + setc("event_description","Failed none for invalid user"), + ])); + + var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); + + var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Accepted password for user"), + ])); + + var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); + + var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","No such file or directory"), + ])); + + var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); + + var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + setc("event_description","Could not load host key"), + ])); + + var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); + + var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ + dup83, + dup2, + dup3, + dup4, + ])); + + var msg361 = msg("%USER-6-SYSTEM_MSG:06", part311); + + var select43 = linear_select([ + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + ]); + + var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ + dup30, + dup2, + dup4, + setc("ec_activity","Disable"), + ])); + + var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); + + var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ + dup30, + dup2, + dup4, + dup37, + ])); + + var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); + + var part314 = match("MESSAGE#357:PS_ABSENT", "nwparser.payload", "Power supply %{fld1->} is %{disposition}, ps-redundancy might be affected", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg364 = msg("PS_ABSENT", part314); + + var part315 = match("MESSAGE#358:PS_DETECT", "nwparser.payload", "Power supply %{fld1->} detected but %{disposition->} (Serial number %{serial_number})", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg365 = msg("PS_DETECT", part315); + + var part316 = match("MESSAGE#359:SUBPROC_TERMINATED", "nwparser.payload", "\"System Manager (configuration controller)\" (PID %{process_id}) has finished with error code %{result->} (%{resultcode}).", processor_chain([ + dup1, + dup2, + dup4, + ])); + + var msg366 = msg("SUBPROC_TERMINATED", part316); + + var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"%{service}\" (PID %{process_id}) has successfully exited with exit code %{result->} (%{resultcode}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup17, + ])); + + var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); + + var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ + dup30, + dup2, + dup4, + ])); + + var msg368 = msg("UPDOWN", part318); + + var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ + dup30, + dup2, + dup4, + setc("change_attribute","Interface"), + ])); + + var msg369 = msg("L2FM_MAC_MOVE2", part319); + + var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); + + var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ + dup30, + dup2, + dup4, + dup38, + ])); + + var msg371 = msg("PS_RED_MODE_CHG", part321); + + var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg372 = msg("INVAL_MAC", part322); + + var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State for service \"%{service}\" changed from %{change_old->} to %{change_new->} in vdc %{fld1}.", processor_chain([ + dup15, + dup2, + dup4, + setc("change_attribute","Service status"), + ])); + + var msg373 = msg("SRVSTATE_CHANGED", part323); + + var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, + dup2, + dup4, + ])); + + var msg374 = msg("INFO", part324); + + var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service \"%{service}\" in vdc %{fld1->} started with PID(%{process_id}).", processor_chain([ + dup15, + dup2, + dup4, + dup84, + dup76, + dup17, + ])); + + var msg375 = msg("SERVICE_STARTED", part325); + + var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local Virtual ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); + + var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{process->} [%{process_id}] Duplicate address Detected. Probe packet received from %{smacaddr->} on %{vlan->} with destination set to our local ip, %{saddr}", processor_chain([ + dup8, + dup2, + dup3, + dup4, + dup85, + ])); + + var msg377 = msg("DUP_SRCIP_PROBE", part327); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "%AUTHPRIV-3-SYSTEM_MSG": msg350, + "%AUTHPRIV-5-SYSTEM_MSG": msg351, + "%AUTHPRIV-6-SYSTEM_MSG": select42, + "%USER-3-SYSTEM_MSG": msg354, + "%USER-6-SYSTEM_MSG": select43, + "AAA_ACCOUNTING_MESSAGE": select28, + "ACLLOG_FLOW_INTERVAL": msg187, + "ACLLOG_MAXFLOW_REACHED": msg188, + "ACLLOG_NEW_FLOW": msg189, + "ACTIVE_LOWER_MEM_THAN_STANDBY": msg298, + "ACTIVE_SUP_OK": msg74, + "ADDON_IMG_DNLD_COMPLETE": msg60, + "ADDON_IMG_DNLD_STARTED": msg61, + "ADDON_IMG_DNLD_SUCCESSFUL": msg62, + "ADJCHANGE": msg217, + "API_FAILED": msg322, + "API_INIT_SEM_CLEAR": msg324, + "BIOS_DAEMON_LC_PRI_BOOT": msg262, + "CFGWRITE_ABORTED": msg135, + "CFGWRITE_ABORTED_LOCK": msg133, + "CFGWRITE_DONE": msg136, + "CFGWRITE_FAILED": msg134, + "CFGWRITE_STARTED": msg137, + "CFGWRITE_USER_ABORT": msg198, + "CHASSIS_CLKMODOK": msg80, + "CHASSIS_CLKSRC": msg81, + "CONN_CONNECT": msg145, + "CONN_DISCONNECT": msg146, + "CREATED": msg51, + "DELETE_STALE_USER_ACCOUNT": msg258, + "DISPUTE_CLEARED": msg77, + "DISPUTE_DETECTED": msg78, + "DOMAIN_CFG_SYNC_DONE": msg79, + "DUPLEX_MISMATCH": msg338, + "DUP_REGISTER": msg319, + "DUP_SRCIP_PROBE": msg377, + "DUP_VADDR_SRCIP_PROBE": msg376, + "DUP_VADDR_SRC_IP": msg190, + "DVPG_CREATE": msg147, + "DVPG_DELETE": msg148, + "DVS_HOSTMEMBER_INFO": msg149, + "DVS_NAME_CHANGE": msg150, + "EJECTOR_STAT_CHANGED": msg270, + "ERROR": msg335, + "ERR_MSG": msg131, + "EVENT": msg206, + "FAN_DETECT": msg97, + "FAN_OK": msg82, + "FCIP_PEER_CAVIUM": msg233, + "FEX_PORT_STATUS_NOTI": msg214, + "FEX_STATUS": select40, + "FIPS_POST_INFO_MSG": msg307, + "FOP_CHANGED": msg52, + "HASEQNO_SYNC_FAILED": msg287, + "HEARTBEAT_FAILURE": msg240, + "IF_ADMIN_UP": msg259, + "IF_ATTACHED": msg138, + "IF_BANDWIDTH_CHANGE": msg210, + "IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR": msg203, + "IF_DELETE_AUTO": msg139, + "IF_DETACHED": msg140, + "IF_DETACHED_MODULE_REMOVED": msg141, + "IF_DOWN_ADMIN_DOWN": select11, + "IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED": msg199, + "IF_DOWN_CFG_CHANGE": msg193, + "IF_DOWN_CHANNEL_ADMIN_DOWN": msg295, + "IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS": msg38, + "IF_DOWN_ELP_FAILURE_ISOLATION": msg330, + "IF_DOWN_ERROR_DISABLED": msg35, + "IF_DOWN_FCOT_NOT_PRESENT": select17, + "IF_DOWN_INACTIVE": msg142, + "IF_DOWN_INITIALIZING": select18, + "IF_DOWN_INTERFACE_REMOVED": msg39, + "IF_DOWN_LINK_FAILURE": select12, + "IF_DOWN_MODULE_REMOVED": msg42, + "IF_DOWN_NONE": select19, + "IF_DOWN_NON_PARTICIPATING": msg143, + "IF_DOWN_NOS_RCVD": select20, + "IF_DOWN_OFFLINE": msg114, + "IF_DOWN_OLS_RCVD": msg115, + "IF_DOWN_PARENT_ADMIN_DOWN": msg211, + "IF_DOWN_PEER_CLOSE": msg234, + "IF_DOWN_PEER_RESET": msg235, + "IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN": msg43, + "IF_DOWN_SOFTWARE_FAILURE": msg116, + "IF_DOWN_SRC_PORT_NOT_BOUND": msg117, + "IF_DOWN_SUSPENDED_BY_SPEED": msg293, + "IF_DOWN_TCP_MAX_RETRANSMIT": msg232, + "IF_DOWN_VEM_UNLICENSED": msg144, + "IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION": msg332, + "IF_DUPLEX": msg44, + "IF_ERRDIS_RECOVERY": msg296, + "IF_ERROR_VLANS_REMOVED": msg191, + "IF_ERROR_VLANS_SUSPENDED": msg192, + "IF_HARDWARE": msg239, + "IF_NON_CISCO_TRANSCEIVER": msg297, + "IF_PORTPROFILE_ATTACHED": msg125, + "IF_RX_FLOW_CONTROL": msg45, + "IF_SEQ_ERROR": msg46, + "IF_SFP_ALARM": select35, + "IF_SFP_WARNING": msg231, + "IF_TRUNK_DOWN": select21, + "IF_TRUNK_UP": select22, + "IF_TX_FLOW_CONTROL": msg47, + "IF_UP": select13, + "IF_XCVR_ALARM": select34, + "IF_XCVR_WARNING": select33, + "IMG_DNLD_COMPLETE": msg63, + "IMG_DNLD_STARTED": msg64, + "IM_INTF_STATE": msg283, + "IM_SEQ_ERROR": msg59, + "INFO": msg374, + "INFORMATION": msg205, + "INTF_CONSISTENCY_FAILED": msg236, + "INTF_CONSISTENCY_SUCCESS": msg237, + "INTF_COUNTERS_CLEARED": msg238, + "INVAL_IP": msg336, + "INVAL_MAC": msg372, + "L2FMC_NL_MTS_SEND_FAILURE": msg290, + "L2FM_MAC_FLAP_DISABLE_LEARN": msg362, + "L2FM_MAC_FLAP_RE_ENABLE_LEARN": msg363, + "L2FM_MAC_MOVE2": msg369, + "LACP_SUSPEND_INDIVIDUAL": msg326, + "LCM_MODULE_UPGRADE_END": msg306, + "LCM_MODULE_UPGRADE_START": msg305, + "LC_UPGRADE_REBOOT": msg302, + "LC_UPGRADE_START": msg301, + "LOG-7-SYSTEM_MSG": msg1, + "LOG_CMP_AAA_FAILURE": msg67, + "LOG_CMP_UP": msg244, + "LOG_LIC_N1K_EXPIRY_WARNING": msg68, + "M2FIB_MAC_TBL_PRGMING": msg257, + "MAC_MOVE_NOTIFICATION": msg333, + "MEMORY_ALERT": msg249, + "MEMORY_ALERT_RECOVERED": msg250, + "MESG": msg130, + "MODULE_LOCK_FAILED": msg289, + "MODULE_ONLINE": msg261, + "MOD_BRINGUP_MULTI_LIMIT": msg96, + "MOD_DETECT": msg83, + "MOD_FAIL": msg69, + "MOD_MAJORSWFAIL": msg70, + "MOD_OK": msg75, + "MOD_PWRDN": msg84, + "MOD_PWRFAIL_EJECTORS_OPEN": msg316, + "MOD_PWRUP": msg85, + "MOD_REMOVE": msg86, + "MOD_RESTART": msg76, + "MOD_SRG_NOT_COMPATIBLE": msg71, + "MOD_STATUS": msg98, + "MOD_WARNING": select14, + "MOUNT": msg243, + "MSG_PORT_LOGGED_IN": msg329, + "MSG_PORT_LOGGED_OUT": msg328, + "MSG_SEND_FAILURE_STANDBY_RESET": msg288, + "MSM_CRIT": msg66, + "MST_PORT_BOUNDARY": msg281, + "MTSERROR": msg34, + "MTS_DROP": msg57, + "NATIVE_VLAN_MISMATCH": msg207, + "NBRCHANGE_DUAL": msg253, + "NEIGHBOR_ADDED": msg208, + "NEIGHBOR_REMOVED": msg209, + "NEIGHBOR_UPDATE_AUTOCOPY": msg33, + "NOHMS_DIAG_ERROR": msg339, + "NOHMS_DIAG_ERR_PS_FAIL": msg215, + "NOHMS_DIAG_ERR_PS_RECOVERED": msg216, + "NOHMS_ENV_FEX_OFFLINE": msg310, + "NOHMS_ENV_FEX_ONLINE": msg311, + "PEER_KEEP_ALIVE_RECV_FAIL": msg266, + "PEER_KEEP_ALIVE_RECV_INT_LATEST": msg264, + "PEER_KEEP_ALIVE_RECV_SUCCESS": msg265, + "PEER_KEEP_ALIVE_SEND_INT_LATEST": msg267, + "PEER_KEEP_ALIVE_SEND_SUCCESS": msg268, + "PEER_KEEP_ALIVE_STATUS": msg269, + "PEER_VPC_CFGD": msg308, + "PEER_VPC_CFGD_VLANS_CHANGED": msg99, + "PEER_VPC_DELETED": msg100, + "PEER_VPC_DOWN": msg263, + "PFM_ALERT": msg347, + "PFM_CLOCK_CHANGE": msg194, + "PFM_FAN_FLTR_STATUS": msg242, + "PFM_MODULE_POWER_ON": msg87, + "PFM_PS_RED_MODE_CHG": msg370, + "PFM_SYSTEM_RESET": msg88, + "PFM_VEM_DETECTED": msg101, + "PFM_VEM_REMOVE_NO_HB": msg89, + "PFM_VEM_REMOVE_RESET": msg90, + "PFM_VEM_REMOVE_STATE_CONFLICT": msg91, + "PFM_VEM_REMOVE_TWO_ACT_VSM": msg92, + "PFM_VEM_UNLICENSED": msg93, + "PINNING_CHANGED": msg317, + "PIXM_SYSLOG_MESSAGE_TYPE_CRIT": msg282, + "POLICY_ACTIVATE_EVENT": msg27, + "POLICY_COMMIT_EVENT": msg28, + "POLICY_DEACTIVATE_EVENT": msg29, + "POLICY_LOOKUP_EVENT": select10, + "PORT_ADDED": msg218, + "PORT_DELETED": msg219, + "PORT_DOWN": msg53, + "PORT_INDIVIDUAL": msg294, + "PORT_INDIVIDUAL_DOWN": msg212, + "PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE": msg124, + "PORT_RANGE_ADDED": msg280, + "PORT_RANGE_DELETED": msg279, + "PORT_RANGE_ROLE": msg277, + "PORT_RANGE_STATE": msg278, + "PORT_ROLE": msg220, + "PORT_SOFTWARE_FAILURE": msg65, + "PORT_STATE": msg221, + "PORT_SUSPENDED": msg213, + "PORT_UP": msg54, + "PS_ABSENT": msg364, + "PS_CAPACITY_CHANGE": select16, + "PS_DETECT": msg365, + "PS_FAIL": msg204, + "PS_FANOK": msg94, + "PS_FOUND": msg102, + "PS_OK": msg95, + "PS_PWR_INPUT_MISSING": msg314, + "PS_RED_MODE_CHG": msg371, + "PS_RED_MODE_RESTORED": msg315, + "PS_STATUS": msg103, + "PVLAN_PPM_PORT_CONFIG_FAILED": msg129, + "READCONF_STARTED": msg299, + "RM_VICPP_RECREATE_ERROR": msg132, + "ROUTERFOUND": msg349, + "RUNTIME_DB_RESTORE_STARTED": msg303, + "RUNTIME_DB_RESTORE_SUCCESS": msg304, + "SATCTRL": msg318, + "SATCTRL_IMAGE": msg321, + "SENSOR_MSG1": msg323, + "SERVER_ADDED": msg291, + "SERVER_REMOVED": msg292, + "SERVICEFOUND": msg348, + "SERVICELOST": msg202, + "SERVICE_CRASHED": msg201, + "SERVICE_STARTED": msg375, + "SOHMS_DIAG_ERROR": select37, + "SPEED": msg50, + "SRVSTATE_CHANGED": msg373, + "STANDBY_SUP_OK": msg126, + "STM_LEARNING_RE_ENABLE": msg340, + "STM_LOOP_DETECT": msg127, + "SUBGROUP_ID_PORT_ADDED": msg55, + "SUBGROUP_ID_PORT_REMOVED": msg56, + "SUBPROC_SUCCESS_EXIT": msg367, + "SUBPROC_TERMINATED": msg366, + "SUP_POWERDOWN": msg300, + "SWITCHOVER_OVER": msg285, + "SYNC_COMPLETE": msg128, + "SYNC_FAILURE_STANDBY_RESET": msg195, + "SYN_COLL_DIS_EN": msg309, + "SYSLOG_LOG_WARNING": msg58, + "SYSLOG_SL_MSG_WARNING": msg337, + "SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG": msg241, + "SYSTEM_MSG": select9, + "TACACS_ACCOUNTING_MESSAGE": select32, + "TACACS_ERROR_MESSAGE": msg230, + "UDLD_PORT_DISABLED": msg341, + "UNKNOWN_MTYPE": msg320, + "UPDOWN": msg368, + "VDC_HOSTNAME_CHANGE": msg26, + "VDC_MODULETYPE": msg286, + "VDC_ONLINE": msg325, + "VDC_STATE_CHANGE": msg284, + "VMS_PPM_SYNC_COMPLETE": msg151, + "VPC_CFGD": msg260, + "VPC_DELETED": msg152, + "VPC_ISSU_END": msg276, + "VPC_ISSU_START": msg275, + "VPC_UP": msg153, + "VSHD_SYSLOG_CONFIG_I": select25, + "XBAR_DETECT": msg271, + "XBAR_OK": msg274, + "XBAR_PWRDN": msg273, + "XBAR_PWRUP": msg272, + "ZS_MERGE_FAILED": msg331, + "dstats": msg327, + "last": msg200, + "ntpd": select41, + "snmpd": select29, + "zone": msg334, + }), + ]); + + var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); + + var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); + + var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); + + var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); + + var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); + + var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); + + var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); + + var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); + + var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); + + var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); + + var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); + + var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); + + var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); + + var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); + + var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); + + var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); + + var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); + + var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); + + var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); + + var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); + + var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); + + var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); + + var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); + + var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); + + var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); + + var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); + + var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); + + var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); + + var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); + + var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var select44 = linear_select([ + dup26, + dup27, + ]); + + var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup1, + dup2, + dup3, + dup4, + ])); + + var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, + dup2, + dup3, + dup4, + ])); + + var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, + dup35, + dup14, + dup2, + dup3, + dup4, + ])); + + var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, + dup2, + dup3, + dup4, + ])); + + var select45 = linear_select([ + dup46, + dup47, + ]); + + var select46 = linear_select([ + dup49, + dup50, + ]); + + var select47 = linear_select([ + dup54, + dup55, + ]); + + var select48 = linear_select([ + dup57, + dup58, + ]); + + var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select49 = linear_select([ + dup65, + dup66, + ]); + + var select50 = linear_select([ + dup67, + dup68, + ]); + + var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup15, + dup2, + dup3, + dup4, + ])); + + var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, + dup2, + dup3, + dup4, + ])); + + var select51 = linear_select([ + dup70, + dup71, + ]); + + var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, + dup2, + dup3, + dup4, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_nexus/0.7.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..27e250da8d --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for Cisco Nexus + +processors: + - set: + field: ecs.version + value: '8.4.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/fields/agent.yml b/packages/cisco_nexus/0.7.3/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e0f9e38998 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/fields/agent.yml @@ -0,0 +1,170 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/fields/base-fields.yml b/packages/cisco_nexus/0.7.3/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..d78668f34f --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_nexus +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_nexus.log +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/fields/ecs.yml b/packages/cisco_nexus/0.7.3/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..f7e5c95752 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/fields/ecs.yml @@ -0,0 +1,547 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/fields/fields.yml b/packages/cisco_nexus/0.7.3/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..489a873293 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/manifest.yml b/packages/cisco_nexus/0.7.3/data_stream/log/manifest.yml new file mode 100755 index 0000000000..a608512a5c --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/manifest.yml @@ -0,0 +1,205 @@ +title: Cisco Nexus logs +release: experimental +type: logs +streams: + - input: udp + title: Cisco Nexus logs + description: Collect Cisco Nexus logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-nexus + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9506 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Cisco Nexus logs + description: Collect Cisco Nexus logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-nexus + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9506 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Cisco Nexus logs + description: Collect Cisco Nexus logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cisco-nexus.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cisco-nexus + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/cisco_nexus/0.7.3/data_stream/log/sample_event.json b/packages/cisco_nexus/0.7.3/data_stream/log/sample_event.json new file mode 100755 index 0000000000..36fb5dc12d --- /dev/null +++ b/packages/cisco_nexus/0.7.3/data_stream/log/sample_event.json @@ -0,0 +1,57 @@ +{ + "@timestamp": "2022-01-25T12:10:52.945Z", + "agent": { + "ephemeral_id": "168bb285-37c0-4f83-9ac8-fb8599371dad", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "cisco_nexus.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "code": "pam_aaa", + "dataset": "cisco_nexus.log", + "ingested": "2022-01-25T12:10:53Z", + "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:48333" + } + }, + "observer": { + "product": "Nexus", + "type": "Switches", + "vendor": "Cisco" + }, + "rsa": { + "internal": { + "messageid": "pam_aaa" + }, + "time": { + "timezone": "Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG" + } + }, + "tags": [ + "preserve_original_event", + "cisco-nexus", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cisco_nexus/0.7.3/docs/README.md b/packages/cisco_nexus/0.7.3/docs/README.md new file mode 100755 index 0000000000..36c6117484 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/docs/README.md @@ -0,0 +1,914 @@ +# Cisco Nexus Integration + +This integration is for [Cisco Nexus device](https://developer.cisco.com/docs/nx-os/) logs. It includes the following +datasets for receiving logs over syslog or read from a file: + +- `log` fileset: supports Cisco Nexus switch logs. + +## Logs + +### Nexus + +The `log` dataset collects Cisco Nexus logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-01-25T12:10:52.945Z", + "agent": { + "ephemeral_id": "168bb285-37c0-4f83-9ac8-fb8599371dad", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "cisco_nexus.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "code": "pam_aaa", + "dataset": "cisco_nexus.log", + "ingested": "2022-01-25T12:10:53Z", + "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:48333" + } + }, + "observer": { + "product": "Nexus", + "type": "Switches", + "vendor": "Cisco" + }, + "rsa": { + "internal": { + "messageid": "pam_aaa" + }, + "time": { + "timezone": "Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG" + } + }, + "tags": [ + "preserve_original_event", + "cisco-nexus", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/cisco_nexus/0.7.3/img/cisco.svg b/packages/cisco_nexus/0.7.3/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_nexus/0.7.3/manifest.yml b/packages/cisco_nexus/0.7.3/manifest.yml new file mode 100755 index 0000000000..53d32265e9 --- /dev/null +++ b/packages/cisco_nexus/0.7.3/manifest.yml @@ -0,0 +1,34 @@ +format_version: 1.0.0 +name: cisco_nexus +title: Cisco Nexus +version: "0.7.3" +license: basic +description: Collect logs from Cisco Nexus with Elastic Agent. +type: integration +categories: + - network + - security +release: experimental +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_nexus + title: Cisco Nexus logs + description: Collect logs from Cisco Nexus instances + inputs: + - type: udp + title: Collect logs from Cisco Nexus via UDP + description: Collecting logs from Cisco Nexus via UDP + - type: tcp + title: Collect logs from Cisco Nexus via TCP + description: Collecting logs from Cisco Nexus via TCP + - type: logfile + title: Collect logs from Cisco Nexus via file + description: Collecting logs from Cisco Nexus via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_secure_email_gateway/1.0.1/LICENSE.txt b/packages/cisco_secure_email_gateway/1.0.1/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_secure_email_gateway/1.0.1/changelog.yml b/packages/cisco_secure_email_gateway/1.0.1/changelog.yml new file mode 100755 index 0000000000..ffa68c9a61 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/changelog.yml @@ -0,0 +1,31 @@ +# newer versions go on top +- version: "1.0.1" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "1.0.0" + changes: + - description: Make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/3859 +- version: "0.3.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3843 +- version: "0.2.1" + changes: + - description: Improve SSL config description and example. + type: enhancement + link: https://github.com/elastic/integrations/pull/3763 +- version: "0.2.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/3040 diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..37e98f82cb --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +exclude_files: [".gz$"] +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..e360ae57b7 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} + \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..cf261dfa7c --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} + \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..d28accdced --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,103 @@ +--- +description: Pipeline for Cisco Secure Email Gateway logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - set: + field: _tmp.filepath + value: "{{{log.file.path}}}" + if: ctx?.log?.file?.path != null + - grok: + field: _tmp.filepath + if: ctx?.log?.file?.path != null + patterns: + - "^%{DATA}/%{WORD:cisco_secure_email_gateway.log.category.name}.@%{GREEDYDATA}.s" + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - "^%{DATA:_tmp.timestamp} %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - lowercase: + field: log.level + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: "@timestamp" + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_authentication" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "authentication" + - pipeline: + name: '{{ IngestPipeline "pipeline_gui_logs" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "gui_logs" + - pipeline: + name: '{{ IngestPipeline "pipeline_anti_spam" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "antispam" + - pipeline: + name: '{{ IngestPipeline "pipeline_error_logs" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "error_logs" + - pipeline: + name: '{{ IngestPipeline "pipeline_text_mail_logs" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "mail_logs" + - pipeline: + name: '{{ IngestPipeline "pipeline_content_scanner" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "content_scanner" + - pipeline: + name: '{{ IngestPipeline "pipeline_system" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "system" + - pipeline: + name: '{{ IngestPipeline "pipeline_bounce" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "bounces" + - pipeline: + name: '{{ IngestPipeline "pipeline_status" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "status" + - pipeline: + name: '{{ IngestPipeline "pipeline_amp" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "amp" + - pipeline: + name: '{{ IngestPipeline "pipeline_consolidated_event" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "consolidated_event" + - remove: + field: + - _tmp + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" + \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml new file mode 100755 index 0000000000..2c47b64513 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml @@ -0,0 +1,122 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^File reputation query initiating. %{GREEDYDATA:_tmp.new_message}" + - "^Response received for file reputation query from Cloud. %{GREEDYDATA:_tmp.new_message}" + - "^File Analysis complete. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256}, Submit Timestamp: %{GREEDYDATA:_tmp.submit.timestamp}, Update Timestamp: %{GREEDYDATA:_tmp.update.timestamp}, Disposition: %{DATA:cisco_secure_email_gateway.log.disposition} Score: %{NUMBER:cisco_secure_email_gateway.log.score:long}, run_id: %{NUMBER:cisco_secure_email_gateway.log.run_id} Details: %{DATA:cisco_secure_email_gateway.log.details} Spyname:\\[%{GREEDYDATA:cisco_secure_email_gateway.log.spy_name}\\]" + - "^File not uploaded for analysis. MID = %{NUMBER:email.message_id} File SHA256\\[%{GREEDYDATA:email.attachments.file.hash.sha256}\\] file mime\\[%{GREEDYDATA:email.attachments.file.mime_type}\\] Reason: %{GREEDYDATA:event.reason}" + - "^File analysis upload skipped. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\\[%{GREEDYDATA:_tmp.submit.timestamp}\\] details\\[%{GREEDYDATA:_tmp.cisco_secure_email_gateway.log.remaining_details}]" + - "^SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\\[%{GREEDYDATA:_tmp.submit.timestamp}\\] details\\[%{GREEDYDATA:cisco_secure_email_gateway.log.server_error_details}\\]" + - "^Retrospective verdict received. %{GREEDYDATA:_tmp.new_message}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - kv: + field: _tmp.new_message + if: ctx._tmp.new_message != null + field_split: ", |," + value_split: " = | =|: " + - grok: + field: _tmp.cisco_secure_email_gateway.log.remaining_details + if: ctx?._tmp?.cisco_secure_email_gateway?.log?.remaining_details != null + patterns: + - "^File SHA256\\[%{GREEDYDATA:email.attachments.file.hash.sha256}\\] file mime\\[%{GREEDYDATA:email.attachments.file.mime_type}\\], upload priority\\[%{GREEDYDATA:cisco_secure_email_gateway.log.upload.priority}\\] not uploaded, re-tries\\[%{GREEDYDATA:cisco_secure_email_gateway.log.retries:long}\\], backoff\\[%{GREEDYDATA:cisco_secure_email_gateway.log.backoff:long}\\] %{GREEDYDATA:cisco_secure_email_gateway.log.details}" + - rename: + field: "Timestamp" + target_field: _tmp.submit.timestamp + ignore_missing: true + - date: + field: _tmp.submit.timestamp + target_field: cisco_secure_email_gateway.log.submit.timestamp + if: ctx?.cisco_secure_email_gateway?.log?._tmp?.submit?.timestamp != "0" + ignore_failure: true + formats: + - UNIX + - date: + field: _tmp.update.timestamp + target_field: cisco_secure_email_gateway.log.update.timestamp + if: ctx?.cisco_secure_email_gateway?.log?._tmp?.update?.timestamp != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: "File Name" + target_field: email.attachments.file.name + ignore_missing: true + - rename: + field: "MID" + target_field: email.message_id + ignore_missing: true + - gsub: + field: "File Size" + pattern: "\ bytes" + replacement: "" + ignore_failure: true + - convert: + field: "File Size" + target_field: email.attachments.file.size + type: long + ignore_missing: true + - rename: + field: "File Type" + target_field: email.content_type + ignore_missing: true + - rename: + field: "FileName" + target_field: email.attachments.file.name + ignore_missing: true + - rename: + field: "Malware" + target_field: cisco_secure_email_gateway.log.malware + ignore_missing: true + - rename: + field: "Disposition" + target_field: cisco_secure_email_gateway.log.disposition + ignore_missing: true + - rename: + field: "Reputation Score" + target_field: cisco_secure_email_gateway.log.reputation_score + ignore_missing: true + - rename: + field: "sha256" + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + - rename: + field: "upload_action" + target_field: cisco_secure_email_gateway.log.upload.action + ignore_missing: true + - rename: + field: "Reputation Score" + target_field: cisco_secure_email_gateway.log.reputation_score + ignore_missing: true + - rename: + field: "SHA256" + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + - rename: + field: "Spyname" + target_field: cisco_secure_email_gateway.log.spy_name + ignore_missing: true + - rename: + field: "Verdict" + target_field: cisco_secure_email_gateway.log.verdict + ignore_missing: true + - gsub: + field: email.attachments.file.name + pattern: \' + replacement: "" + ignore_failure: true + - append: + field: related.hash + value: "{{{email.attachments.file.hash.sha256}}}" + if: ctx?.email?.attachments?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - _tmp + - "File Size" + ignore_missing: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_anti_spam.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_anti_spam.yml new file mode 100755 index 0000000000..d00bdb71a1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_anti_spam.yml @@ -0,0 +1,12 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^case %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(%{NUMBER:cisco_secure_email_gateway.log.case_id}\\) : case-daemon: all %{DATA:cisco_secure_email_gateway.log.object} killed, %{GREEDYDATA:cisco_secure_email_gateway.log.result}" + - "^case %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(%{NUMBER:cisco_secure_email_gateway.log.case_id}\\) : case-daemon: %{DATA:cisco_secure_email_gateway.log.object} killed by %{DATA:cisco_secure_email_gateway.log.command}, %{GREEDYDATA:cisco_secure_email_gateway.log.result}" + - "^case %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(%{NUMBER:cisco_secure_email_gateway.log.case_id}\\) : case-daemon: %{GREEDYDATA:cisco_secure_email_gateway.log.result}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml new file mode 100755 index 0000000000..58b672d1db --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml @@ -0,0 +1,51 @@ +--- +processors: + - set: + field: event.kind + value: event + - set: + field: event.category + value: [authentication] + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^GUI: User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from session %{GREEDYDATA:cisco_secure_email_gateway.log.session} because of inactivity timeout" + - "^CLI: User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from %{GREEDYDATA:cisco_secure_email_gateway.log.session} because of inactivity timeout" + - "^%{WORD:cisco_secure_email_gateway.log.action}:%{IP:host.ip} user:%{USERNAME:user.name} session:%{WORD:cisco_secure_email_gateway.log.session}" + - "^User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} of %{WORD:network.protocol} session %{IP:host.ip}" + - "^An authentication attempt by the user %{USERNAME:user.name} from %{IP:host.ip} %{WORD:cisco_secure_email_gateway.log.outcome} using an %{WORD:network.protocol} connection." + - "^The user %{USERNAME:user.name} %{WORD:cisco_secure_email_gateway.log.outcome} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from %{IP:host.ip} with privilege %{DATA:cisco_secure_email_gateway.log.privilege} using an %{WORD:network.protocol} connection." + - "^User %{USERNAME:user.name} was %{WORD:cisco_secure_email_gateway.log.action} %{WORD:cisco_secure_email_gateway.log.outcome}." + - "^User %{USERNAME:user.name} %{WORD:cisco_secure_email_gateway.log.outcome} %{WORD:cisco_secure_email_gateway.log.action}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - lowercase: + field: network.protocol + ignore_failure: true + - set: + field: event.outcome + if: ctx?.cisco_secure_email_gateway?.log?.outcome == "failed" + value: failure + - set: + field: event.outcome + if: ctx?.cisco_secure_email_gateway?.log?.outcome == "successfully" + value: success + - set: + field: event.type + if: ctx?.cisco_secure_email_gateway?.log?.action == "logged on" || ctx?.cisco_secure_email_gateway?.log?.action == 'authenticated' + value: [start] + - set: + field: event.type + if: ctx?.cisco_secure_email_gateway?.log?.action == 'logged out' || ctx?.cisco_secure_email_gateway?.log?.action == 'logout' + value: [end] + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{host.ip}}}" + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bounce.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bounce.yml new file mode 100755 index 0000000000..698efbb307 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bounce.yml @@ -0,0 +1,11 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^%{WORD:cisco_secure_email_gateway.log.bounce_type}: DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} MID %{NUMBER:email.message_id} From:<%{GREEDYDATA:email.from.address}> To:<%{GREEDYDATA:email.to.address}> RID %{NUMBER:cisco_secure_email_gateway.log.recipient_id} - %{DATA:cisco_secure_email_gateway.log.error_code} - %{GREEDYDATA:event.reason} \\(%{GREEDYDATA:cisco_secure_email_gateway.log.response}\\)" + - "^%{WORD:cisco_secure_email_gateway.log.bounce_type}: %{NUMBER:email.message_id}:%{NUMBER:cisco_secure_email_gateway.log.recipient_id} From:<%{GREEDYDATA:email.from.address}> To:<%{GREEDYDATA:email.to.address}>" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml new file mode 100755 index 0000000000..a3d4d38808 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml @@ -0,0 +1,110 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^CEF:%{NUMBER:cisco_secure_email_gateway.log.cef_format_version}\\|%{WORD:cisco_secure_email_gateway.log.appliance.vendor}\\|%{DATA:cisco_secure_email_gateway.log.appliance.product}\\|%{DATA:cisco_secure_email_gateway.log.appliance.version}\\|%{DATA:cisco_secure_email_gateway.log.event_class_id}\\|%{DATA:cisco_secure_email_gateway.log.event.name}\\|%{WORD:event.severity}\\|%{GREEDYDATA:_tmp.details} endTime=%{DATA:event.end} ESADLPVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dlp_verdict} dvc=%{IP:cisco_secure_email_gateway.log.data.ip} ESAAttachmentDetails=\\{%{GREEDYDATA:cisco_secure_email_gateway.log.esa.attachment_details}\\} ESAFriendlyFrom=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.friendly_from} ESAGMVerdict=%{WORD:cisco_secure_email_gateway.log.esa.graymail_verdict} startTime=%{DATA:event.start} (deviceInboundInterface||deviceOutboundInterface)=%{WORD:cisco_secure_email_gateway.log.listener.name} deviceDirection=%{DATA:cisco_secure_email_gateway.log.device_direction} ESAMailFlowPolicy=%{WORD:cisco_secure_email_gateway.log.esa.mail_flow_policy} suser=%{DATA:email.from.address} cs1Label=%{WORD:cisco_secure_email_gateway.log.cs1_label} cs1=%{WORD:cisco_secure_email_gateway.log.cs1} ESAMFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.mf_verdict} act=%{WORD:cisco_secure_email_gateway.log.act} ESAFinalActionDetails=%{DATA:cisco_secure_email_gateway.log.esa.final_action_details} cs4Label=%{GREEDYDATA:cisco_secure_email_gateway.log.cs4_label} cs4='<%{DATA:cisco_secure_email_gateway.log.cs4}>' ESAMsgSize=%{NUMBER:cisco_secure_email_gateway.log.esa.msg_size:long} ESAOFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.outbreak_filter_verdict} duser=%{DATA:email.to.address} ESAHeloIP=%{IP:cisco_secure_email_gateway.log.esa.helo.ip} cfp1Label=%{WORD:cisco_secure_email_gateway.log.cfp1_label} cfp1=%{DATA:_tmp.cfp1} ESASDRDomainAge=%{DATA:cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age} cs3Label=%{WORD:cisco_secure_email_gateway.log.cs3_label} cs3=%{DATA:cisco_secure_email_gateway.log.cs3} cs6Label=%{DATA:cisco_secure_email_gateway.log.cs6_label} cs6=%{DATA:cisco_secure_email_gateway.log.cs6} ESASPFVerdict=%{DATA:cisco_secure_email_gateway.log.esa.spf_verdict} sourceHostName=%{DATA:source.domain} ESASenderGroup=%{DATA:cisco_secure_email_gateway.log.esa.sender_group} sourceAddress=%{IP:source.ip} msg=%{GREEDYDATA:email.subject}" + - "^%{DATA:_tmp.timestamp} CEF:%{NUMBER:cisco_secure_email_gateway.log.cef_format_version}\\|%{WORD:cisco_secure_email_gateway.log.appliance.vendor}\\|%{DATA:cisco_secure_email_gateway.log.appliance.product}\\|%{DATA:cisco_secure_email_gateway.log.appliance.version}\\|%{DATA:cisco_secure_email_gateway.log.event_class_id}\\|%{DATA:cisco_secure_email_gateway.log.event.name}\\|%{WORD:event.severity}\\|%{GREEDYDATA:_tmp.details} endTime=%{DATA:event.end} ESADLPVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dlp_verdict} dvc=%{IP:cisco_secure_email_gateway.log.data.ip} ESAAttachmentDetails=\\{%{GREEDYDATA:cisco_secure_email_gateway.log.esa.attachment_details}\\} ESAFriendlyFrom=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.friendly_from} ESAGMVerdict=%{WORD:cisco_secure_email_gateway.log.esa.graymail_verdict} startTime=%{DATA:event.start} (deviceInboundInterface||deviceOutboundInterface)=%{WORD:cisco_secure_email_gateway.log.listener.name} deviceDirection=%{DATA:cisco_secure_email_gateway.log.device_direction} ESAMailFlowPolicy=%{WORD:cisco_secure_email_gateway.log.esa.mail_flow_policy} suser=%{DATA:email.from.address} cs1Label=%{WORD:cisco_secure_email_gateway.log.cs1_label} cs1=%{WORD:cisco_secure_email_gateway.log.cs1} ESAMFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.mf_verdict} act=%{WORD:cisco_secure_email_gateway.log.act} ESAFinalActionDetails=%{DATA:cisco_secure_email_gateway.log.esa.final_action_details} cs4Label=%{GREEDYDATA:cisco_secure_email_gateway.log.cs4_label} cs4='<%{DATA:cisco_secure_email_gateway.log.cs4}>' ESAMsgSize=%{NUMBER:cisco_secure_email_gateway.log.esa.msg_size:long} ESAOFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.outbreak_filter_verdict} duser=%{DATA:email.to.address} ESAHeloIP=%{IP:cisco_secure_email_gateway.log.esa.helo.ip} cfp1Label=%{WORD:cisco_secure_email_gateway.log.cfp1_label} cfp1=%{DATA:_tmp.cfp1} ESASDRDomainAge=%{DATA:cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age} cs3Label=%{WORD:cisco_secure_email_gateway.log.cs3_label} cs3=%{DATA:cisco_secure_email_gateway.log.cs3} cs6Label=%{DATA:cisco_secure_email_gateway.log.cs6_label} cs6=%{DATA:cisco_secure_email_gateway.log.cs6} ESASPFVerdict=%{DATA:cisco_secure_email_gateway.log.esa.spf_verdict} sourceHostName=%{DATA:source.domain} ESASenderGroup=%{DATA:cisco_secure_email_gateway.log.esa.sender_group} sourceAddress=%{IP:source.ip} msg=%{GREEDYDATA:email.subject}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - kv: + field: _tmp.details + if: ctx?._tmp?.details != null + field_split: " | " + value_split: "=" + ignore_failure: true + ignore_missing: true + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.esa.helo.ip}}}" + if: ctx?.cisco_secure_email_gateway?.log?.esa?.helo?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.data.ip}}}" + if: ctx?.cisco_secure_email_gateway?.log?.data?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - set: + field: email.direction + value: inbound + if: ctx?.cisco_secure_email_gateway?.log?.listener?.name == "Incomingmail" + ignore_failure: true + - set: + field: email.direction + value: outbound + if: ctx?.cisco_secure_email_gateway?.log?.listener?.name == "Outcomingmail" + ignore_failure: true + - set: + field: cisco_secure_email_gateway.log.device_direction + value: incoming + if: ctx?.cisco_secure_email_gateway?.log?.device_direction == "0" + ignore_failure: true + - set: + field: cisco_secure_email_gateway.log.device_direction + value: outgoing + if: ctx?.cisco_secure_email_gateway?.log?.device_direction == "1" + ignore_failure: true + - rename: + field: deviceExternalId + target_field: host.id + ignore_missing: true + - rename: + field: ESAMID + target_field: email.message_id + ignore_missing: true + ignore_failure: true + - rename: + field: ESAICID + target_field: cisco_secure_email_gateway.log.esa.injection_connection_id + ignore_missing: true + - rename: + field: ESAAMPVerdict + target_field: cisco_secure_email_gateway.log.esa.amp_verdict + ignore_missing: true + - rename: + field: ESAASVerdict + target_field: cisco_secure_email_gateway.log.esa.as_verdict + ignore_missing: true + - rename: + field: ESAAVVerdict + target_field: cisco_secure_email_gateway.log.esa.av_verdict + ignore_missing: true + - rename: + field: ESACFVerdict + target_field: cisco_secure_email_gateway.log.esa.content_filter_verdict + ignore_missing: true + - gsub: + field: email.subject + pattern: \' + replacement: "" + ignore_failure: true + - convert: + field: _tmp.cfp1 + target_field: cisco_secure_email_gateway.log.cfp1 + type: double + if: ctx?._tmp?.cfp1 != 'None' + ignore_missing: true + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: "@timestamp" + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + ignore_failure: true + - remove: + field: + - _tmp + ignore_failure: true + ignore_missing: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_content_scanner.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_content_scanner.yml new file mode 100755 index 0000000000..fdb1879369 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_content_scanner.yml @@ -0,0 +1,11 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^PF: %{WORD:cisco_secure_email_gateway.log.vendor_action} %{WORD:cisco_secure_email_gateway.log.object} %{GREEDYDATA:cisco_secure_email_gateway.log.object_category}" + - "^PF: %{WORD:cisco_secure_email_gateway.log.vendor_action} %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(pid=%{NUMBER:process.pid:long}\\)" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_error_logs.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_error_logs.yml new file mode 100755 index 0000000000..00c83cbb84 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_error_logs.yml @@ -0,0 +1,20 @@ +--- +processors: + - set: + field: event.kind + value: event + - set: + field: event.type + value: [error] + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^Internal %{DATA:network.protocol} giving up on message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.description}: Unable to send System/Warning %{DATA:event.kind} to %{DATA:email.to.address} with subject \"%{GREEDYDATA:email.subject}\"." + - "^%{WORD:cisco_secure_email_gateway.log.alert_category}: %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^Internal %{DATA:network.protocol} system attempting to send a message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + ignore_failure: true + - lowercase: + field: network.protocol + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gui_logs.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gui_logs.yml new file mode 100755 index 0000000000..f157537a53 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gui_logs.yml @@ -0,0 +1,70 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^req:%{DATA:client.ip:IP} user:%{DATA:user.name} id:%{DATA:event.id} %{NUMBER:http.response.status_code:long} %{WORD:http.request.method} %{DATA:url.path} HTTP/%{NUMBER:http.version} %{GREEDYDATA:user_agent.original}" + - "^Action: User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from session %{GREEDYDATA:cisco_secure_email_gateway.log.session} beacuse of inactivity timeout" + - "^Session %{DATA:cisco_secure_email_gateway.log.session} user:%{USERNAME:user.name} %{WORD:cisco_secure_email_gateway.log.result}" + - "^Session %{DATA:cisco_secure_email_gateway.log.session} from %{IP:host.ip} not found Destination:%{GREEDYDATA:cisco_secure_email_gateway.log.destination}" + - "^SourceIP:%{IP:host.ip} Destination:%{GREEDYDATA:cisco_secure_email_gateway.log.destination} Username:%{USERNAME:user.name} Privilege:%{DATA:cisco_secure_email_gateway.log.privilege} session:%{DATA:cisco_secure_email_gateway.log.session} Action: %{GREEDYDATA:cisco_secure_email_gateway.log.action}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}: %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject} %{IP:source.ip}:%{NUMBER:source.port:long} - \\(%{GREEDYDATA:cisco_secure_email_gateway.log.description}\\)" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject} %{IP:source.ip} port %{NUMBER:source.port:long} - %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{DATA:cisco_secure_email_gateway.log.object} has been %{DATA:cisco_secure_email_gateway.log.action} for user %{USERNAME:user.name}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - user_agent: + field: user_agent.original + if: ctx?.user_agent?.original != '-' + ignore_failure: true + - set: + field: event.category + value: [web] + if: ctx?.http?.request?.method != null + - set: + field: event.type + value: [access] + if: ctx?.http?.request?.method != null + - set: + field: event.category + value: [session] + if: ctx?.cisco_secure_email_gateway?.log?.result == 'expired' || ctx?.cisco_secure_email_gateway?.log?.action == 'logged out' + - set: + field: event.type + value: [end] + if: ctx?.cisco_secure_email_gateway?.log?.result == 'expired' || ctx?.cisco_secure_email_gateway?.log?.action == 'logged out' + - remove: + field: user.name + if: ctx?.user?.name == '-' + ignore_failure: true + - remove: + field: user_agent.original + if: ctx?.user_agent?.original == '-' + ignore_failure: true + - append: + field: related.ip + value: "{{{client.ip}}}" + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{host.ip}}}" + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null && ctx?.user?.name != '-' + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_status.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_status.yml new file mode 100755 index 0000000000..b460fae1cf --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_status.yml @@ -0,0 +1,10 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^Status: CPULd %{NUMBER:cisco_secure_email_gateway.log.cpu.utilization:long} DskIO %{NUMBER:cisco_secure_email_gateway.log.disk_io:long} RAMUtil %{NUMBER:cisco_secure_email_gateway.log.ram.utilization:long} QKUsd %{NUMBER:cisco_secure_email_gateway.log.queue_kilobytes_usd:long} QKFre %{NUMBER:cisco_secure_email_gateway.log.queue_kilobytes_free:long} CrtMID %{NUMBER:email.message_id} CrtICID %{NUMBER:cisco_secure_email_gateway.log.crt.injection_connection_id} CrtDCID %{NUMBER:cisco_secure_email_gateway.log.crt.delivery_connection_id} InjMsg %{NUMBER:cisco_secure_email_gateway.log.injected.messages:long} InjRcp %{NUMBER:cisco_secure_email_gateway.log.injected.recipients:long} GenBncRcp %{NUMBER:cisco_secure_email_gateway.log.generated_bounce_recipients:long} RejRcp %{NUMBER:cisco_secure_email_gateway.log.rejected_recipients:long} DrpMsg %{NUMBER:cisco_secure_email_gateway.log.dropped_messages:long} SftBncEvnt %{NUMBER:cisco_secure_email_gateway.log.soft_bounced_events:long} CmpRcp %{NUMBER:cisco_secure_email_gateway.log.completed_recipients:long} HrdBncRcp %{NUMBER:cisco_secure_email_gateway.log.hard_bounce_recipients:long} DnsHrdBnc %{NUMBER:cisco_secure_email_gateway.log.dns.hard_bounces:long} 5XXHrdBnc %{NUMBER:cisco_secure_email_gateway.log.5xx_hard_bounces:long} FltrHrdBnc %{NUMBER:cisco_secure_email_gateway.log.filter_hard_bounces:long} ExpHrdBnc %{NUMBER:cisco_secure_email_gateway.log.expired_hard_bounces:long} OtrHrdBnc %{NUMBER:cisco_secure_email_gateway.log.other_hard_bounces:long} DlvRcp %{NUMBER:cisco_secure_email_gateway.log.delivered_recipients:long} DelRcp %{NUMBER:cisco_secure_email_gateway.log.deleted_recipients:long} GlbUnsbHt %{NUMBER:cisco_secure_email_gateway.log.global_unsubscribe_hits:long} ActvRcp %{NUMBER:cisco_secure_email_gateway.log.active_recipients:long} UnatmptRcp %{NUMBER:cisco_secure_email_gateway.log.unattempted_recipients:long} AtmptRcp %{NUMBER:cisco_secure_email_gateway.log.attempted_recipients:long} CrtCncIn %{NUMBER:cisco_secure_email_gateway.log.current.inbound_connections:long} CrtCncOut %{NUMBER:cisco_secure_email_gateway.log.current.outbound_connections:long} DnsReq %{NUMBER:cisco_secure_email_gateway.log.dns.requests:long} NetReq %{NUMBER:cisco_secure_email_gateway.log.network_requests:long} CchHit %{NUMBER:cisco_secure_email_gateway.log.cache.hits:long} CchMis %{NUMBER:cisco_secure_email_gateway.log.cache.misses:long} CchEct %{NUMBER:cisco_secure_email_gateway.log.cache.exceptions:long} CchExp %{NUMBER:cisco_secure_email_gateway.log.cache.expired:long} CPUTTm %{NUMBER:cisco_secure_email_gateway.log.cpu.total_time:long} CPUETm %{NUMBER:cisco_secure_email_gateway.log.cpu.elapsed_time:long} MaxIO %{NUMBER:cisco_secure_email_gateway.log.max_io:long} RAMUsd %{NUMBER:cisco_secure_email_gateway.log.ram.used:long} MMLen %{NUMBER:cisco_secure_email_gateway.log.messages_length:long} DstInMem %{NUMBER:cisco_secure_email_gateway.log.destination_memory:long} ResCon %{NUMBER:cisco_secure_email_gateway.log.resource_conservation:long} WorkQ %{NUMBER:cisco_secure_email_gateway.log.work_queue:long} QuarMsgs %{NUMBER:cisco_secure_email_gateway.log.quarantine.messages:long} QuarQKUsd %{NUMBER:cisco_secure_email_gateway.log.quarantine.queue_kilobytes_used:long} LogUsd %{NUMBER:cisco_secure_email_gateway.log.log_used:long} SophLd %{NUMBER:cisco_secure_email_gateway.log.sophos_ld:long} BMLd %{NUMBER:cisco_secure_email_gateway.log.bmld:long} CASELd %{NUMBER:cisco_secure_email_gateway.log.case_ld:long} TotalLd %{NUMBER:cisco_secure_email_gateway.log.total_ld:long} LogAvail %{DATA:cisco_secure_email_gateway.log.log_available} EuQ %{NUMBER:cisco_secure_email_gateway.log.estimated.quarantine:long} EuqRls %{NUMBER:cisco_secure_email_gateway.log.estimated.quarantine_release_queue:long} CmrkLd %{NUMBER:cisco_secure_email_gateway.log.cmrkld:long} McafLd %{NUMBER:cisco_secure_email_gateway.log.mcafee_ld:long} SwIn %{NUMBER:cisco_secure_email_gateway.log.swapped.in:long} SwOut %{NUMBER:cisco_secure_email_gateway.log.swapped.out:long} SwPgIn %{NUMBER:cisco_secure_email_gateway.log.swapped.page.in:long} SwPgOut %{NUMBER:cisco_secure_email_gateway.log.swapped.page.out:long} SwapUsage %{DATA:cisco_secure_email_gateway.log.swap_usage} RptLd %{NUMBER:cisco_secure_email_gateway.log.reporting_load:long} QtnLd %{NUMBER:cisco_secure_email_gateway.log.quarantine.load:long} EncrQ %{NUMBER:cisco_secure_email_gateway.log.encryption_queue:long} InjBytes %{NUMBER:cisco_secure_email_gateway.log.injected.bytes:long}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system.yml new file mode 100755 index 0000000000..2a3a50fdb2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system.yml @@ -0,0 +1,20 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^PID %{NUMBER:process.pid:long}: User %{USERNAME:user.name} commit changes:%{GREEDYDATA:cisco_secure_email_gateway.log.commit_changes}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.name}: qname:%{DATA:cisco_secure_email_gateway.log.qname} ns_name:%{DATA:cisco_secure_email_gateway.log.ns_name} zone:%{DATA:cisco_secure_email_gateway.log.zone} ref_zone:%{DATA:cisco_secure_email_gateway.log.ref_zone} referrals:%{GREEDYDATA:cisco_secure_email_gateway.log.referrals}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}\\. %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject} to '%{GREEDYDATA:cisco_secure_email_gateway.log.description} ' '" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}: %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_text_mail_logs.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_text_mail_logs.yml new file mode 100755 index 0000000000..5d350fd5f8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/elasticsearch/ingest_pipeline/pipeline_text_mail_logs.yml @@ -0,0 +1,53 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^graymail \\[CONFIG\\] %{WORD:cisco_secure_email_gateway.log.vendor_action} %{GREEDYDATA:cisco_secure_email_gateway.log.object}" + - "^URL_REP_CLIENT: %{WORD:cisco_secure_email_gateway.log.object_attr} %{DATA:cisco_secure_email_gateway.log.type}. Triggering %{WORD:cisco_secure_email_gateway.log.vendor_action} of %{GREEDYDATA:cisco_secure_email_gateway.log.object}." + - "^MID %{NUMBER:email.message_id} %{GREEDYDATA:cisco_secure_email_gateway.log.subject}. Severity: %{WORD:cisco_secure_email_gateway.log.severity} \\(Risk Factor: %{NUMBER:cisco_secure_email_gateway.log.risk_factor:long}\\). %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^A System/Warning %{DATA:event.kind} was sent to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^%{WORD:cisco_secure_email_gateway.log.connection_status} %{WORD:network.protocol} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} interface Management \\(%{IP:cisco_secure_email_gateway.log.interface}\\) address %{IP:cisco_secure_email_gateway.log.address} reverse dns host %{DATA:dns.question.name} verified %{WORD:cisco_secure_email_gateway.log.verified}" + - "^%{WORD:cisco_secure_email_gateway.log.connection_status} MID %{NUMBER:email.message_id} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id}" + - "^MID %{NUMBER:email.message_id} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} From: <%{DATA:email.from.address}>" + - "^MID %{NUMBER:email.message_id} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} RID %{DATA:cisco_secure_email_gateway.log.recipient_id} To: <%{DATA:email.to.address}>" + - "^MID %{NUMBER:email.message_id} ready %{NUMBER:cisco_secure_email_gateway.log.read_bytes:long} bytes from <%{DATA:email.from.address}>" + - "^ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} %{WORD:cisco_secure_email_gateway.log.connection_status}" + - "^%{DATA:cisco_secure_email_gateway.log.message_status} %{WORD:network.protocol} DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} interface %{IP:cisco_secure_email_gateway.log.interface} address %{IP:cisco_secure_email_gateway.log.address}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message_status} DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} MID %{NUMBER:email.message_id} to RID \\[%{DATA:cisco_secure_email_gateway.log.recipient_id}\\]" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message_status} DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} MID %{NUMBER:email.message_id} to RID \\[%{DATA:cisco_secure_email_gateway.log.recipient_id}\\]" + - "^DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} %{WORD:cisco_secure_email_gateway.log.connection_status}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}\\. %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.description}: Unable to send System/Warning %{DATA:event.kind} to %{DATA:email.to.address} with subject \"%{GREEDYDATA:email.subject}\"." + - "^Internal %{DATA:network.protocol} system successfully sent a message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^Internal %{DATA:network.protocol} giving up on message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^Internal %{DATA:network.protocol} Error: %{GREEDYDATA:cisco_secure_email_gateway.log.description} to host %{IP:destination.ip}:%{NUMBER:destination.port:long} for recipient %{DATA:email.to.address}: %{GREEDYDATA:cisco_secure_email_gateway.log.subject}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - lowercase: + field: network.protocol + ignore_failure: true + - set: + field: event.type + if: ctx?.cisco_secure_email_gateway?.log?.type == "changed" + value: change + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.interface}}}" + if: ctx?.cisco_secure_email_gateway?.log?.interface != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.address}}}" + if: ctx?.cisco_secure_email_gateway?.log?.address != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{destination.ip}}}" + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/agent.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..57c63446e2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/agent.yml @@ -0,0 +1,183 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/base-fields.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..728f08ea5a --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_secure_email_gateway.log +- name: event.module + type: constant_keyword + description: Event module + value: cisco_secure_email_gateway +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/ecs.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..3c974fea42 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,176 @@ +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: SHA256 hash. + name: email.attachments.file.hash.sha256 + type: keyword +- description: |- + The MIME media type of the attachment. + This value will typically be extracted from the `Content-Type` MIME header field. + name: email.attachments.file.mime_type + type: keyword +- description: Name of the attachment file including the file extension. + name: email.attachments.file.name + type: keyword +- description: Attachment file size in bytes. + name: email.attachments.file.size + type: long +- description: |- + Information about how the message is to be displayed. + Typically a MIME type. + name: email.content_type + type: keyword +- description: The direction of the message based on the sending and receiving domains. + name: email.direction + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + normalize: + - array + type: keyword +- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. + name: email.message_id + type: wildcard +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: The email address of recipient + name: email.to.address + normalize: + - array + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/fields.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..0b6fbd185e --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/fields/fields.yml @@ -0,0 +1,506 @@ +- name: cisco_secure_email_gateway.log + type: group + fields: + - name: 5xx_hard_bounces + type: long + description: 5XX Hard Bounces. + - name: act + type: keyword + - name: action + type: keyword + - name: active_recipients + type: long + description: Active Recipients. + - name: address + type: ip + - name: alert_category + type: keyword + - name: appliance + type: group + fields: + - name: product + type: keyword + - name: vendor + type: keyword + - name: version + type: keyword + - name: attempted_recipients + type: long + description: Attempted Recipients. + - name: backoff + type: long + description: The number of (x) seconds before the email gateway needs to wait before it makes an attempt to upload the file to the file analysis server. This occurs when the email gateway reaches the daily upload limit. + - name: bmld + type: long + - name: bounce_type + type: keyword + description: Bounced or delayed (for example, hard or soft-bounce). + - name: cache + type: group + fields: + - name: exceptions + type: long + description: Cache Exceptions. + - name: expired + type: long + description: Cache Expired. + - name: hits + type: long + description: Cache Hits. + - name: misses + type: long + description: Cache Misses. + - name: case_id + type: keyword + - name: case_ld + type: long + description: Percent CPU used by CASE scanning. + - name: category + type: group + fields: + - name: name + type: keyword + - name: cef_format_version + type: keyword + - name: cfp1 + type: double + - name: cfp1_label + type: keyword + - name: cmrkld + type: long + - name: command + type: text + - name: commit_changes + type: text + - name: completed_recipients + type: long + description: Completed Recipients. + - name: connection + type: keyword + - name: connection_status + type: keyword + - name: cpu + type: group + fields: + - name: elapsed_time + type: long + description: Elapsed time since the application started. + - name: total_time + type: long + description: Total CPU time used by the application. + - name: utilization + type: long + description: CPU Utilization. + - name: crt + type: group + fields: + - name: delivery_connection_id + type: keyword + description: Delivery Connection ID (DCID). + - name: injection_connection_id + type: keyword + description: Injection Connection ID (ICID). + - name: cs1 + type: keyword + - name: cs1_label + type: keyword + - name: cs2 + type: keyword + - name: cs2_label + type: keyword + - name: cs3 + type: keyword + - name: cs3_label + type: keyword + - name: cs4 + type: keyword + - name: cs4_label + type: keyword + - name: cs5 + type: keyword + - name: cs5_label + type: keyword + - name: cs6 + type: keyword + - name: cs6_label + type: keyword + - name: current + type: group + fields: + - name: inbound_connections + type: long + description: Current Inbound Connections. + - name: outbound_connections + type: long + description: Current Outbound Connections. + - name: data + type: group + fields: + - name: ip + type: ip + - name: deleted_recipients + type: long + description: Deleted Recipients. + - name: delivered_recipients + type: long + description: Delivered Recipients. + - name: delivery_connection_id + type: keyword + description: Delivery Connection ID. This is a numerical identifier for an individual SMTP connection to another server, for delivery of 1 to thousands of messages, each with some or all of their RIDs being delivered in a single message transmission. + - name: description + type: text + - name: destination + type: text + - name: destination_memory + type: long + description: Number of destination objects in memory. + - name: details + type: text + description: Additional information. + - name: device_direction + type: keyword + - name: disk_io + type: long + description: Disk I/O Utilization. + - name: disposition + type: keyword + description: "" + The file reputation disposition values are: MALICIOUS CLEAN FILE UNKNOWN - When the reputation score is zero. VERDICT UNKNOWN - When the disposition is FILE UNKNOWN and score is non-zero. LOW RISK - When no dynamic content is found in a file after file analysis, the verdict is Low Risk. The file is not sent for file analysis, and the message continues through the email pipeline. + - name: dns + type: group + fields: + - name: hard_bounces + type: long + description: DNS Hard Bounces. + - name: requests + type: long + description: DNS Requests. + - name: dropped_messages + type: long + description: Dropped Messages. + - name: encryption_queue + type: long + description: Messages in the Encryption Queue. + - name: error_code + type: keyword + - name: esa + type: group + fields: + - name: amp_verdict + type: keyword + - name: as_verdict + type: keyword + - name: attachment_details + type: text + - name: av_verdict + type: keyword + - name: content_filter_verdict + type: keyword + - name: delivery_connection_id + type: keyword + - name: dha_source + type: keyword + - name: dkim_verdict + type: keyword + - name: dlp_verdict + type: keyword + - name: dmarc_verdict + type: keyword + - name: final_action_details + type: text + - name: friendly_from + type: keyword + - name: graymail_verdict + type: keyword + - name: helo + type: group + fields: + - name: ip + type: ip + - name: injection_connection_id + type: keyword + - name: mail_auto_remediation_action + type: text + - name: mail_flow_policy + type: keyword + - name: mf_verdict + type: keyword + - name: msg_size + type: long + - name: msg_too_big_from_sender + type: boolean + - name: outbreak_filter_verdict + type: keyword + - name: rate_limited_ip + type: keyword + - name: reply_to + type: keyword + - name: sdr_consolidated_domain_age + type: text + - name: sender_group + type: keyword + - name: spf_verdict + type: keyword + - name: url_details + type: text + - name: estimated + type: group + fields: + - name: quarantine + type: long + description: Estimated number of messages in the Spam quarantine. + - name: quarantine_release_queue + type: long + description: Estimated number of messages in the Spam quarantine release queue. + - name: event + type: group + fields: + - name: name + type: keyword + - name: event_class_id + type: keyword + - name: expired_hard_bounces + type: long + description: Expired Hard Bounces. + - name: filter_hard_bounces + type: long + description: Filter Hard Bounces. + - name: generated_bounce_recipients + type: long + description: Generated Bounce Recipients. + - name: global_unsubscribe_hits + type: long + description: Global Unsubscribe Hits. + - name: hard_bounce_recipients + type: long + description: Hard Bounced Recipients. + - name: injected + type: group + fields: + - name: bytes + type: long + description: Total Injected Message Size in Bytes. + - name: messages + type: long + description: Injected Messages. + - name: recipients + type: long + description: Injected Recipients. + - name: injection_connection_id + type: keyword + description: Injection Connection ID. This is a numerical identifier for an individual SMTP connection to the system, over which 1 to thousands of individual messages may be sent. + - name: interface + type: keyword + - name: listener + type: group + fields: + - name: name + type: keyword + - name: log_available + type: keyword + description: Amount of disk space available for log files. + - name: log_used + type: long + description: Percent of log partition used. + - name: malware + type: keyword + description: The name of the malware threat. + - name: max_io + type: long + description: Maximum disk I/O operations per second for the mail process. + - name: mcafee_ld + type: long + description: Percent CPU used by McAfee anti-virus scanning. + - name: message + type: text + - name: message_filters_verdict + type: keyword + - name: messages_length + type: long + description: Total number of messages in the system. + - name: message_status + type: keyword + - name: name + type: keyword + - name: ns_name + type: keyword + - name: network_requests + type: long + description: Network Requests. + - name: object + type: keyword + - name: object_attr + type: keyword + - name: object_category + type: keyword + - name: other_hard_bounces + type: long + description: Other Hard Bounces. + - name: outcome + type: keyword + - name: privilege + type: keyword + - name: qname + type: keyword + - name: quarantine + type: group + fields: + - name: load + type: long + description: CPU load during the Quarantine process. + - name: messages + type: long + description: Number of individual messages in policy, virus, or outbreak quarantine (messages present in multiple quarantines are counted only once). + - name: queue_kilobytes_used + type: long + description: KBytes used by policy, virus, and outbreak quarantine messages. + - name: queue_kilobytes_free + type: long + description: Queue Kilobytes Free. + - name: queue_kilobytes_usd + type: long + description: Queue Kilobytes Used. + - name: ram + type: group + fields: + - name: used + type: long + description: Allocated memory in bytes. + - name: utilization + type: long + description: RAM Utilization. + - name: read_bytes + type: long + - name: recepients + type: keyword + - name: ref_zone + type: keyword + - name: referrals + type: text + - name: rejected_recipients + type: long + description: Rejected Recipients. + - name: reporting_load + type: long + description: CPU load during the Reporting process. + - name: reputation_score + type: keyword + description: The reputation score assigned to the file by the file reputation server. + - name: resource_conservation + type: long + description: Resource conservation tarpit value. Acceptance of incoming mail is delayed by this number of seconds due to heavy system load. + - name: response + type: text + description: SMTP response code and message from recipient host. + - name: result + type: text + - name: recipient_id + type: keyword + description: Recipient ID. + - name: retries + type: long + description: The number of upload attempts performed on a given file. + - name: risk_factor + type: long + - name: run_id + type: keyword + description: The numeric value (ID) assigned to the file by the file analysis server for a particular file analysis. + - name: score + type: long + description: The analysis score assigned to the file by the file analysis server. + - name: server_error_details + type: text + - name: session + type: keyword + - name: severity + type: keyword + - name: soft_bounced_events + type: long + description: Soft Bounced Events. + - name: sophos_ld + type: long + description: Percent CPU used by Sophos anti-virus scanning. + - name: spy_name + type: keyword + description: The name of the threat, if a malware is found in the file during file analysis. + - name: start_time + type: keyword + - name: subject + type: text + - name: submit + type: group + fields: + - name: timestamp + type: date + description: The date and time at which the file is uploaded to the file analysis server by the email gateway. + - name: swap_usage + type: keyword + - name: swapped + type: group + fields: + - name: in + type: long + description: Memory swapped in. + - name: out + type: long + description: Memory swapped out. + - name: page + type: group + fields: + - name: in + type: long + description: Memory paged in. + - name: out + type: long + description: Memory paged out. + - name: total_ld + type: long + description: Total CPU consumption. + - name: type + type: keyword + - name: unattempted_recipients + type: long + description: Unattempted Recipients. + - name: update + type: group + fields: + - name: timestamp + type: date + description: The date and time at which the file analysis for the file is complete. + - name: upload + type: group + fields: + - name: action + type: keyword + description: > + The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload. + + - name: priority + type: keyword + description: "" + Upload priority values are: High - For all selected file types, except PDF file type. Low - For only PDF file types. + - name: verified + type: keyword + - name: vendor_action + type: keyword + - name: verdict + type: keyword + description: The file retrospective verdict value is malicious or clean. + - name: work_queue + type: long + description: This is the number of messages currently in the work queue. + - name: zone + type: keyword +- name: filepath + type: keyword +- name: log.file.path + type: keyword + description: File path from which the log event was read / sent from. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. +- name: type + type: keyword + description: Input type. +- name: input.type + type: keyword diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/manifest.yml b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..a4521eecb6 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/manifest.yml @@ -0,0 +1,141 @@ +title: Cisco Secure Email Gateway logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs via TCP input. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 514 + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate: "/etc/server/cert.pem" + #key: "/etc/server/key.pem" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_secure_email_gateway-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + template_path: udp.yml.hbs + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs via UDP input. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 514 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_secure_email_gateway-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile + template_path: stream.yml.hbs + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs via logfile. + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_secure_email_gateway-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/sample_event.json b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..5a7630d683 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/data_stream/log/sample_event.json @@ -0,0 +1,64 @@ +{ + "@timestamp": "2022-03-17T18:24:37.000Z", + "agent": { + "ephemeral_id": "76b54e2f-6051-4831-a042-28f1eabce453", + "hostname": "docker-fleet-agent", + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec" + } + }, + "data_stream": { + "dataset": "cisco_secure_email_gateway.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "attachments": { + "file": { + "name": "mod-6.exe", + "size": 1673216 + } + }, + "content_type": "application/x-dosexec", + "message_id": "5" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_secure_email_gateway.log", + "ingested": "2022-04-27T07:21:12Z", + "kind": "event" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "info", + "source": { + "address": "172.19.0.1:52733" + }, + "syslog": { + "priority": 166 + } + }, + "tags": [ + "forwarded", + "cisco_secure_email_gateway-log" + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/docs/README.md b/packages/cisco_secure_email_gateway/1.0.1/docs/README.md new file mode 100755 index 0000000000..ad5f74381d --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/docs/README.md @@ -0,0 +1,531 @@ +# Cisco Secure Email Gateway + +The [Cisco Email Security Appliance](https://www.cisco.com/c/en/us/products/security/email-security/index.html) integration collects and parses data from Cisco Secure Email Gateway using TCP/UDP and logfile. + +## Compatibility + +This module has been tested against **Cisco Secure Email Gateway server version 14.0.0 Virtual Gateway C100V with the below given logs pattern**. + +## Configurations + +- Sign-in to Cisco Secure Email Gateway Portal and follow the below steps for configurations: + 1. In Cisco Secure Email Gateway Administrator Portal, go to **System Administration** > **Log Subscriptions**. + 2. Click **Add Log Subscription**. + 3. Enter all the **Required Details**. + 4. Set **Log Name** as below for the respective category: + - AMP Engine Logs -> amp + - Anti-Spam Logs -> antispam + - Authentication Logs -> authentication + - Bounce Logs -> bounces + - Consolidated Event Logs -> consolidated_event + - Content Scanner Logs -> content_scanner + - HTTP Logs -> gui_logs + - IronPort Text Mail Logs -> error_logs + - Text Mail Logs -> mail_logs + - Status Logs -> status + - System Logs -> system + 5. Select **Log Level** as Information. + 6. Select **Retrieval Method**. + 7. Click **Submit** and commit the Changes. + +## Note + +- **Retrieval Method** Supported: + - **FTP Push to Remote Server** for the below categories: + AMP Engine Logs, Anti-Spam Logs, Anti-Spam Logs, Authentication Logs, Bounce Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs, System Logs + - **Syslog Push** for the below categories: + AMP Engine Logs, Anti-Spam Logs, Anti-Spam Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs, System Logs + +## [Sample Logs](https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_14-0/b_ESA_Admin_Guide_ces_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html) +Below are the samples logs of respective category: + +## AMP Engine Logs: +``` +File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec + +Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2 + +File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG] + +File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists + +File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...] + +SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]] + +Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX. +``` +## Anti-Spam Logs +``` +case antispam - engine (72324) : case-daemon: Initializing Child + +case antispam - engine (15703) : case-daemon: all children killed, exitting + +case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down +``` +## Authentication Logs +``` +The user admin successfully logged on from 1.128.3.4 with privilege admin using an HTTPS connection. + +CLI: User admin logged out from 1.128.3.4 because of inactivity timeout + +GUI: User admin logged out from session d0PfzQa02E8NwMiah2jx because of inactivity timeout + +logout:1.128.3.4 user:admin session:wKV0AK29Ggdhztfl4Sal + +User admin logged out of SSH session 1.128.3.4 + +An authentication attempt by the user admin from 1.128.3.4 failed using an HTTPS connection. + +User admin was authenticated successfully. + +User joe failed authentication. +``` +## Bounce Logs +``` +Bounced: DCID 2 MID 15232 From: To: RID 0 - 5.1.0 - Unknown address error ('550', ['5.1.1 The email account that you tried to reach does not exist. Please try', "5.1.1 double-checking the recipient's email address for typos or", '5.1.1 unnecessary spaces. Learn more at', '5.1.1 xxxxx ay44si12078156oib.94 - gsmtp']) + +Bounced: 123:123 From: To: +``` +## Consolidated Event Logs +``` +CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' +``` +## Content Scanner Logs +``` +PF: Starting multi-threaded Perceptive server (pid=17729) + +PF: Restarting content_scanner service. +``` +## IronPort Text Mail Logs +``` +Quarantine: Failed to connect to quarantine + +Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. + +Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". + +Internal SMTP system attempting to send a message to example.com with subject 'Critical example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0). +``` +## HTTP Logs +``` +req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 + +req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 - + +Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout + +Session fRK3TSjzhHhoI9CV5Kvt user:admin expired + +Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies + +SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully. + +PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time... + +Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt' + +SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown') + +Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer + +Passphrase has been changed for user admin +``` +## Text Mail Logs +``` +MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'. + +graymail [CONFIG] Starting graymail configuration handler + +URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service. + +A System/Warning alert was sent to example.com with subject "Warning cisco.esa: URL category definitions have changed.; Added new category '...". + +New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host example.com verified yes + +Start MID 6 ICID 5 + +MID 6 ICID 5 From: + +MID 6 ICID 5 RID 0 To: + +MID 6 ready 100 bytes from + +ICID 5 close + +New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4 + +Delivery start DCID 8 MID 6 to RID [0] + +Message done DCID 8 MID 6 to RID [0] + +DCID 8 close + +URL category definitions have changed. Please check and update your filters to use the new definitions + +Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". + +Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative. + +Internal SMTP system successfully sent a message to example.com with subject 'Warning cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'. + +Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. + +Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address does not exist']. +``` +## Status Logs +``` +Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0 +``` +## System Logs +``` +PID 1237: User admin commit changes: Added a second CLI log for examples + +lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')] + +Failed to bootstrap the DNS resolver. Unable to contact root servers. + +DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' ' + +Received an invalid DNS Response: '' to IP dummy_ip looking up example.de +``` + +## Logs + +### log + +This is the `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-03-17T18:24:37.000Z", + "agent": { + "ephemeral_id": "76b54e2f-6051-4831-a042-28f1eabce453", + "hostname": "docker-fleet-agent", + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec" + } + }, + "data_stream": { + "dataset": "cisco_secure_email_gateway.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "attachments": { + "file": { + "name": "mod-6.exe", + "size": 1673216 + } + }, + "content_type": "application/x-dosexec", + "message_id": "5" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_secure_email_gateway.log", + "ingested": "2022-04-27T07:21:12Z", + "kind": "event" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "info", + "source": { + "address": "172.19.0.1:52733" + }, + "syslog": { + "priority": 166 + } + }, + "tags": [ + "forwarded", + "cisco_secure_email_gateway-log" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_secure_email_gateway.log.5xx_hard_bounces | 5XX Hard Bounces. | long | +| cisco_secure_email_gateway.log.act | | keyword | +| cisco_secure_email_gateway.log.action | | keyword | +| cisco_secure_email_gateway.log.active_recipients | Active Recipients. | long | +| cisco_secure_email_gateway.log.address | | ip | +| cisco_secure_email_gateway.log.alert_category | | keyword | +| cisco_secure_email_gateway.log.appliance.product | | keyword | +| cisco_secure_email_gateway.log.appliance.vendor | | keyword | +| cisco_secure_email_gateway.log.appliance.version | | keyword | +| cisco_secure_email_gateway.log.attempted_recipients | Attempted Recipients. | long | +| cisco_secure_email_gateway.log.backoff | The number of (x) seconds before the email gateway needs to wait before it makes an attempt to upload the file to the file analysis server. This occurs when the email gateway reaches the daily upload limit. | long | +| cisco_secure_email_gateway.log.bmld | | long | +| cisco_secure_email_gateway.log.bounce_type | Bounced or delayed (for example, hard or soft-bounce). | keyword | +| cisco_secure_email_gateway.log.cache.exceptions | Cache Exceptions. | long | +| cisco_secure_email_gateway.log.cache.expired | Cache Expired. | long | +| cisco_secure_email_gateway.log.cache.hits | Cache Hits. | long | +| cisco_secure_email_gateway.log.cache.misses | Cache Misses. | long | +| cisco_secure_email_gateway.log.case_id | | keyword | +| cisco_secure_email_gateway.log.case_ld | Percent CPU used by CASE scanning. | long | +| cisco_secure_email_gateway.log.category.name | | keyword | +| cisco_secure_email_gateway.log.cef_format_version | | keyword | +| cisco_secure_email_gateway.log.cfp1 | | double | +| cisco_secure_email_gateway.log.cfp1_label | | keyword | +| cisco_secure_email_gateway.log.cmrkld | | long | +| cisco_secure_email_gateway.log.command | | text | +| cisco_secure_email_gateway.log.commit_changes | | text | +| cisco_secure_email_gateway.log.completed_recipients | Completed Recipients. | long | +| cisco_secure_email_gateway.log.connection | | keyword | +| cisco_secure_email_gateway.log.connection_status | | keyword | +| cisco_secure_email_gateway.log.cpu.elapsed_time | Elapsed time since the application started. | long | +| cisco_secure_email_gateway.log.cpu.total_time | Total CPU time used by the application. | long | +| cisco_secure_email_gateway.log.cpu.utilization | CPU Utilization. | long | +| cisco_secure_email_gateway.log.crt.delivery_connection_id | Delivery Connection ID (DCID). | keyword | +| cisco_secure_email_gateway.log.crt.injection_connection_id | Injection Connection ID (ICID). | keyword | +| cisco_secure_email_gateway.log.cs1 | | keyword | +| cisco_secure_email_gateway.log.cs1_label | | keyword | +| cisco_secure_email_gateway.log.cs2 | | keyword | +| cisco_secure_email_gateway.log.cs2_label | | keyword | +| cisco_secure_email_gateway.log.cs3 | | keyword | +| cisco_secure_email_gateway.log.cs3_label | | keyword | +| cisco_secure_email_gateway.log.cs4 | | keyword | +| cisco_secure_email_gateway.log.cs4_label | | keyword | +| cisco_secure_email_gateway.log.cs5 | | keyword | +| cisco_secure_email_gateway.log.cs5_label | | keyword | +| cisco_secure_email_gateway.log.cs6 | | keyword | +| cisco_secure_email_gateway.log.cs6_label | | keyword | +| cisco_secure_email_gateway.log.current.inbound_connections | Current Inbound Connections. | long | +| cisco_secure_email_gateway.log.current.outbound_connections | Current Outbound Connections. | long | +| cisco_secure_email_gateway.log.data.ip | | ip | +| cisco_secure_email_gateway.log.deleted_recipients | Deleted Recipients. | long | +| cisco_secure_email_gateway.log.delivered_recipients | Delivered Recipients. | long | +| cisco_secure_email_gateway.log.delivery_connection_id | Delivery Connection ID. This is a numerical identifier for an individual SMTP connection to another server, for delivery of 1 to thousands of messages, each with some or all of their RIDs being delivered in a single message transmission. | keyword | +| cisco_secure_email_gateway.log.description | | text | +| cisco_secure_email_gateway.log.destination | | text | +| cisco_secure_email_gateway.log.destination_memory | Number of destination objects in memory. | long | +| cisco_secure_email_gateway.log.details | Additional information. | text | +| cisco_secure_email_gateway.log.device_direction | | keyword | +| cisco_secure_email_gateway.log.disk_io | Disk I/O Utilization. | long | +| cisco_secure_email_gateway.log.disposition | | keyword | +| cisco_secure_email_gateway.log.dns.hard_bounces | DNS Hard Bounces. | long | +| cisco_secure_email_gateway.log.dns.requests | DNS Requests. | long | +| cisco_secure_email_gateway.log.dropped_messages | Dropped Messages. | long | +| cisco_secure_email_gateway.log.encryption_queue | Messages in the Encryption Queue. | long | +| cisco_secure_email_gateway.log.error_code | | keyword | +| cisco_secure_email_gateway.log.esa.amp_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.as_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.attachment_details | | text | +| cisco_secure_email_gateway.log.esa.av_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.content_filter_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.delivery_connection_id | | keyword | +| cisco_secure_email_gateway.log.esa.dha_source | | keyword | +| cisco_secure_email_gateway.log.esa.dkim_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.dlp_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.dmarc_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.final_action_details | | text | +| cisco_secure_email_gateway.log.esa.friendly_from | | keyword | +| cisco_secure_email_gateway.log.esa.graymail_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.helo.ip | | ip | +| cisco_secure_email_gateway.log.esa.injection_connection_id | | keyword | +| cisco_secure_email_gateway.log.esa.mail_auto_remediation_action | | text | +| cisco_secure_email_gateway.log.esa.mail_flow_policy | | keyword | +| cisco_secure_email_gateway.log.esa.mf_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.msg_size | | long | +| cisco_secure_email_gateway.log.esa.msg_too_big_from_sender | | boolean | +| cisco_secure_email_gateway.log.esa.outbreak_filter_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.rate_limited_ip | | keyword | +| cisco_secure_email_gateway.log.esa.reply_to | | keyword | +| cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age | | text | +| cisco_secure_email_gateway.log.esa.sender_group | | keyword | +| cisco_secure_email_gateway.log.esa.spf_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.url_details | | text | +| cisco_secure_email_gateway.log.estimated.quarantine | Estimated number of messages in the Spam quarantine. | long | +| cisco_secure_email_gateway.log.estimated.quarantine_release_queue | Estimated number of messages in the Spam quarantine release queue. | long | +| cisco_secure_email_gateway.log.event.name | | keyword | +| cisco_secure_email_gateway.log.event_class_id | | keyword | +| cisco_secure_email_gateway.log.expired_hard_bounces | Expired Hard Bounces. | long | +| cisco_secure_email_gateway.log.filter_hard_bounces | Filter Hard Bounces. | long | +| cisco_secure_email_gateway.log.generated_bounce_recipients | Generated Bounce Recipients. | long | +| cisco_secure_email_gateway.log.global_unsubscribe_hits | Global Unsubscribe Hits. | long | +| cisco_secure_email_gateway.log.hard_bounce_recipients | Hard Bounced Recipients. | long | +| cisco_secure_email_gateway.log.injected.bytes | Total Injected Message Size in Bytes. | long | +| cisco_secure_email_gateway.log.injected.messages | Injected Messages. | long | +| cisco_secure_email_gateway.log.injected.recipients | Injected Recipients. | long | +| cisco_secure_email_gateway.log.injection_connection_id | Injection Connection ID. This is a numerical identifier for an individual SMTP connection to the system, over which 1 to thousands of individual messages may be sent. | keyword | +| cisco_secure_email_gateway.log.interface | | keyword | +| cisco_secure_email_gateway.log.listener.name | | keyword | +| cisco_secure_email_gateway.log.log_available | Amount of disk space available for log files. | keyword | +| cisco_secure_email_gateway.log.log_used | Percent of log partition used. | long | +| cisco_secure_email_gateway.log.malware | The name of the malware threat. | keyword | +| cisco_secure_email_gateway.log.max_io | Maximum disk I/O operations per second for the mail process. | long | +| cisco_secure_email_gateway.log.mcafee_ld | Percent CPU used by McAfee anti-virus scanning. | long | +| cisco_secure_email_gateway.log.message | | text | +| cisco_secure_email_gateway.log.message_filters_verdict | | keyword | +| cisco_secure_email_gateway.log.message_status | | keyword | +| cisco_secure_email_gateway.log.messages_length | Total number of messages in the system. | long | +| cisco_secure_email_gateway.log.name | | keyword | +| cisco_secure_email_gateway.log.network_requests | Network Requests. | long | +| cisco_secure_email_gateway.log.ns_name | | keyword | +| cisco_secure_email_gateway.log.object | | keyword | +| cisco_secure_email_gateway.log.object_attr | | keyword | +| cisco_secure_email_gateway.log.object_category | | keyword | +| cisco_secure_email_gateway.log.other_hard_bounces | Other Hard Bounces. | long | +| cisco_secure_email_gateway.log.outcome | | keyword | +| cisco_secure_email_gateway.log.privilege | | keyword | +| cisco_secure_email_gateway.log.qname | | keyword | +| cisco_secure_email_gateway.log.quarantine.load | CPU load during the Quarantine process. | long | +| cisco_secure_email_gateway.log.quarantine.messages | Number of individual messages in policy, virus, or outbreak quarantine (messages present in multiple quarantines are counted only once). | long | +| cisco_secure_email_gateway.log.quarantine.queue_kilobytes_used | KBytes used by policy, virus, and outbreak quarantine messages. | long | +| cisco_secure_email_gateway.log.queue_kilobytes_free | Queue Kilobytes Free. | long | +| cisco_secure_email_gateway.log.queue_kilobytes_usd | Queue Kilobytes Used. | long | +| cisco_secure_email_gateway.log.ram.used | Allocated memory in bytes. | long | +| cisco_secure_email_gateway.log.ram.utilization | RAM Utilization. | long | +| cisco_secure_email_gateway.log.read_bytes | | long | +| cisco_secure_email_gateway.log.recepients | | keyword | +| cisco_secure_email_gateway.log.recipient_id | Recipient ID. | keyword | +| cisco_secure_email_gateway.log.ref_zone | | keyword | +| cisco_secure_email_gateway.log.referrals | | text | +| cisco_secure_email_gateway.log.rejected_recipients | Rejected Recipients. | long | +| cisco_secure_email_gateway.log.reporting_load | CPU load during the Reporting process. | long | +| cisco_secure_email_gateway.log.reputation_score | The reputation score assigned to the file by the file reputation server. | keyword | +| cisco_secure_email_gateway.log.resource_conservation | Resource conservation tarpit value. Acceptance of incoming mail is delayed by this number of seconds due to heavy system load. | long | +| cisco_secure_email_gateway.log.response | SMTP response code and message from recipient host. | text | +| cisco_secure_email_gateway.log.result | | text | +| cisco_secure_email_gateway.log.retries | The number of upload attempts performed on a given file. | long | +| cisco_secure_email_gateway.log.risk_factor | | long | +| cisco_secure_email_gateway.log.run_id | The numeric value (ID) assigned to the file by the file analysis server for a particular file analysis. | keyword | +| cisco_secure_email_gateway.log.score | The analysis score assigned to the file by the file analysis server. | long | +| cisco_secure_email_gateway.log.server_error_details | | text | +| cisco_secure_email_gateway.log.session | | keyword | +| cisco_secure_email_gateway.log.severity | | keyword | +| cisco_secure_email_gateway.log.soft_bounced_events | Soft Bounced Events. | long | +| cisco_secure_email_gateway.log.sophos_ld | Percent CPU used by Sophos anti-virus scanning. | long | +| cisco_secure_email_gateway.log.spy_name | The name of the threat, if a malware is found in the file during file analysis. | keyword | +| cisco_secure_email_gateway.log.start_time | | keyword | +| cisco_secure_email_gateway.log.subject | | text | +| cisco_secure_email_gateway.log.submit.timestamp | The date and time at which the file is uploaded to the file analysis server by the email gateway. | date | +| cisco_secure_email_gateway.log.swap_usage | | keyword | +| cisco_secure_email_gateway.log.swapped.in | Memory swapped in. | long | +| cisco_secure_email_gateway.log.swapped.out | Memory swapped out. | long | +| cisco_secure_email_gateway.log.swapped.page.in | Memory paged in. | long | +| cisco_secure_email_gateway.log.swapped.page.out | Memory paged out. | long | +| cisco_secure_email_gateway.log.total_ld | Total CPU consumption. | long | +| cisco_secure_email_gateway.log.type | | keyword | +| cisco_secure_email_gateway.log.unattempted_recipients | Unattempted Recipients. | long | +| cisco_secure_email_gateway.log.update.timestamp | The date and time at which the file analysis for the file is complete. | date | +| cisco_secure_email_gateway.log.upload.action | The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload. | keyword | +| cisco_secure_email_gateway.log.upload.priority | | keyword | +| cisco_secure_email_gateway.log.vendor_action | | keyword | +| cisco_secure_email_gateway.log.verdict | The file retrospective verdict value is malicious or clean. | keyword | +| cisco_secure_email_gateway.log.verified | | keyword | +| cisco_secure_email_gateway.log.work_queue | This is the number of messages currently in the work queue. | long | +| cisco_secure_email_gateway.log.zone | | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | +| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | +| email.attachments.file.size | Attachment file size in bytes. | long | +| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | +| email.direction | The direction of the message based on the sending and receiving domains. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| filepath | | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | | keyword | +| log.file.path | File path from which the log event was read / sent from. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| type | Input type. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/cisco_secure_email_gateway/1.0.1/img/cisco-logo.svg b/packages/cisco_secure_email_gateway/1.0.1/img/cisco-logo.svg new file mode 100755 index 0000000000..43f57cb7fe --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/img/cisco-logo.svg @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + diff --git a/packages/cisco_secure_email_gateway/1.0.1/img/cisco-secure-email-gateway-screenshot.png b/packages/cisco_secure_email_gateway/1.0.1/img/cisco-secure-email-gateway-screenshot.png new file mode 100755 index 0000000000..35e15bd5e8 Binary files /dev/null and b/packages/cisco_secure_email_gateway/1.0.1/img/cisco-secure-email-gateway-screenshot.png differ diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..7311d3de88 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_secure_email_gateway.log.category.name\",\"negate\":false,\"params\":{\"query\":\"status\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_secure_email_gateway.log.category.name\":\"status\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"95a6ae87-13d5-4ada-bd77-bec597a81714\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"95a6ae87-13d5-4ada-bd77-bec597a81714\",\"panelRefName\":\"panel_0\",\"title\":\"CPU Utilization Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"fac9251f-8b75-46fa-94ff-2a004fd15099\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"fac9251f-8b75-46fa-94ff-2a004fd15099\",\"panelRefName\":\"panel_1\",\"title\":\"Disk I/O Utilization Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"de2943f1-1708-4fd3-bb0d-99903395cc32\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"de2943f1-1708-4fd3-bb0d-99903395cc32\",\"panelRefName\":\"panel_2\",\"title\":\"RAM Utilization Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3ff28fc7-0158-4901-baf2-797e2686c180\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"3ff28fc7-0158-4901-baf2-797e2686c180\",\"panelRefName\":\"panel_3\",\"title\":\"Sophos Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"01d7f54a-0bfd-444a-99ca-ea799c11d342\",\"w\":24,\"x\":0,\"y\":29},\"panelIndex\":\"01d7f54a-0bfd-444a-99ca-ea799c11d342\",\"panelRefName\":\"panel_4\",\"title\":\"McAfee Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cc5ddff9-fb90-4f24-a98c-3a2b3957f8c6\",\"w\":24,\"x\":24,\"y\":29},\"panelIndex\":\"cc5ddff9-fb90-4f24-a98c-3a2b3957f8c6\",\"panelRefName\":\"panel_5\",\"title\":\"CASE Scanning Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ef7de46-c487-40c7-856a-3bbd89bbcf7b\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"0ef7de46-c487-40c7-856a-3bbd89bbcf7b\",\"panelRefName\":\"panel_6\",\"title\":\"Reporting Process Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7ce2069e-5789-451a-8980-5c1efa0ea8b9\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"7ce2069e-5789-451a-8980-5c1efa0ea8b9\",\"panelRefName\":\"panel_7\",\"title\":\"Quarantine Process Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Status", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..11a540a2f8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_secure_email_gateway.log.category.name\",\"negate\":false,\"params\":{\"query\":\"amp\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_secure_email_gateway.log.category.name\":\"amp\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"42e2b65e-cb47-40bb-9c1b-57ffe421f4dc\":{\"columnOrder\":[\"cfaa9bc5-46c5-4cf4-968f-419ea5d8e285\",\"40ee8622-c392-4ec5-bc21-d912f381c282\"],\"columns\":{\"40ee8622-c392-4ec5-bc21-d912f381c282\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cfaa9bc5-46c5-4cf4-968f-419ea5d8e285\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"40ee8622-c392-4ec5-bc21-d912f381c282\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"email.content_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"cfaa9bc5-46c5-4cf4-968f-419ea5d8e285\"],\"layerId\":\"42e2b65e-cb47-40bb-9c1b-57ffe421f4dc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"40ee8622-c392-4ec5-bc21-d912f381c282\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"9dee5b6f-f892-4227-9472-22fb7d514271\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9dee5b6f-f892-4227-9472-22fb7d514271\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of AMP Engine Events by File Type [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"dc47e71b-52ce-41ad-bbba-60c0b7205f20\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"dc47e71b-52ce-41ad-bbba-60c0b7205f20\",\"panelRefName\":\"panel_1\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"ca17fa14-0065-4dc5-87e2-3166254da30a\",\"w\":24,\"x\":0,\"y\":13},\"panelIndex\":\"ca17fa14-0065-4dc5-87e2-3166254da30a\",\"panelRefName\":\"panel_2\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"5878a629-052a-4cb5-95bf-8e0fc6ec5ec1\",\"w\":24,\"x\":24,\"y\":13},\"panelIndex\":\"5878a629-052a-4cb5-95bf-8e0fc6ec5ec1\",\"panelRefName\":\"panel_3\",\"title\":\"Distribution of AMP Engine Events by File MIME Type [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"38a471f6-9731-4071-9d91-b3ec1564349b\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"38a471f6-9731-4071-9d91-b3ec1564349b\",\"panelRefName\":\"panel_4\",\"title\":\"Distribution of AMP Engine Events by Upload Action [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"aa7dfa01-c596-466e-8296-1608d666cd1e\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"aa7dfa01-c596-466e-8296-1608d666cd1e\",\"panelRefName\":\"panel_5\",\"title\":\"Distribution of AMP Engine Events by Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] AMP Engine", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b", + "name": "panel_5", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..56444429ff --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7cc45c02-44e8-438c-aa38-a007d252b940\",\"w\":23,\"x\":0,\"y\":0},\"panelIndex\":\"7cc45c02-44e8-438c-aa38-a007d252b940\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of Anti-Spam Events by Object [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f8fe013f-8aa5-4f0e-84ff-45ec811766a3\",\"w\":25,\"x\":23,\"y\":0},\"panelIndex\":\"f8fe013f-8aa5-4f0e-84ff-45ec811766a3\",\"panelRefName\":\"panel_1\",\"title\":\"Distribution of Anti-Spam Events by Object Category [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d14a4980-fa97-483e-ad10-ad6ff134dd23\",\"w\":23,\"x\":0,\"y\":15},\"panelIndex\":\"d14a4980-fa97-483e-ad10-ad6ff134dd23\",\"panelRefName\":\"panel_2\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1db1d475-764a-431d-abb5-9ab291f69e33\",\"w\":25,\"x\":23,\"y\":15},\"panelIndex\":\"1db1d475-764a-431d-abb5-9ab291f69e33\",\"panelRefName\":\"panel_3\",\"title\":\"Distribution of Authentication Events by Outcome [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Anti-Spam and Authentication", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54", + "name": "panel_3", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..6e241daaa2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_secure_email_gateway.log.category.name\",\"negate\":false,\"params\":{\"query\":\"gui_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_secure_email_gateway.log.category.name\":\"gui_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1dd36832-31f8-43d2-a00c-49d24108eaa4\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1dd36832-31f8-43d2-a00c-49d24108eaa4\",\"panelRefName\":\"panel_0\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"17df4ae4-3f35-46d2-9516-26dfdfe5f3b5\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"17df4ae4-3f35-46d2-9516-26dfdfe5f3b5\",\"panelRefName\":\"panel_1\",\"title\":\"Distribution of GUI Events by Request [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ac4a3508-065d-4610-8358-684e5d9e82c2\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"ac4a3508-065d-4610-8358-684e5d9e82c2\",\"panelRefName\":\"panel_2\",\"title\":\"Distribution of GUI Events by Response Status Code [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e028cf94-3b68-4e0e-bff8-3e2d32e049fe\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e028cf94-3b68-4e0e-bff8-3e2d32e049fe\",\"panelRefName\":\"panel_3\",\"title\":\"Distribution of GUI Events by User Agent [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b6700711-d823-4afa-9ce0-b119917ed1b8\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"b6700711-d823-4afa-9ce0-b119917ed1b8\",\"panelRefName\":\"panel_4\",\"title\":\"Top 10 User Name [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"79ad4619-4274-4344-925b-281f6c35df63\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"79ad4619-4274-4344-925b-281f6c35df63\",\"panelRefName\":\"panel_5\",\"title\":\"Distribution of GUI Events by OS, OS Version [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] GUI", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54", + "name": "panel_5", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..95bccd74da --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"945d4b9c-86fa-42cd-b512-1a1bd70b6d97\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"945d4b9c-86fa-42cd-b512-1a1bd70b6d97\",\"panelRefName\":\"panel_0\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"103fbc3c-7c0e-48cd-bd68-b67a615aad7b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"103fbc3c-7c0e-48cd-bd68-b67a615aad7b\",\"panelRefName\":\"panel_1\",\"title\":\"Top 10 User Name [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"f4b68a6e-421b-42b1-866c-100f504735d4\",\"w\":16,\"x\":0,\"y\":15},\"panelIndex\":\"f4b68a6e-421b-42b1-866c-100f504735d4\",\"panelRefName\":\"panel_2\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8d6507ea-1c20-4fcc-bbb9-daadecd72f46\",\"w\":15,\"x\":16,\"y\":15},\"panelIndex\":\"8d6507ea-1c20-4fcc-bbb9-daadecd72f46\",\"panelRefName\":\"panel_3\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"ca178e69-d36c-47fe-bea1-3f4aeb07c33e\",\"w\":17,\"x\":31,\"y\":15},\"panelIndex\":\"ca178e69-d36c-47fe-bea1-3f4aeb07c33e\",\"panelRefName\":\"panel_4\",\"title\":\"Distribution of Error Events by Alert Category [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Error, Content Scanner and System", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..a045e36435 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_secure_email_gateway.log.category.name\",\"negate\":false,\"params\":{\"query\":\"consolidated_event\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_secure_email_gateway.log.category.name\":\"consolidated_event\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b11261c4-5064-4f70-9297-35e354c35e59\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"b11261c4-5064-4f70-9297-35e354c35e59\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of Consolidated Events by Listener Name [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"eaaaa9e9-fc9b-448c-88a6-9404e44b45ad\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"eaaaa9e9-fc9b-448c-88a6-9404e44b45ad\",\"panelRefName\":\"panel_1\",\"title\":\"Distribution of Consolidated Events by Outbreak Filters Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"14f54d7b-75bc-44eb-a15f-c79876f5edb4\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"14f54d7b-75bc-44eb-a15f-c79876f5edb4\",\"panelRefName\":\"panel_2\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bb7a6391-3a3a-40c2-b32d-9b7bc3b5916f\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"bb7a6391-3a3a-40c2-b32d-9b7bc3b5916f\",\"panelRefName\":\"panel_3\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"507ca4af-c48a-43e3-9aa2-79ff68ba7eaf\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"507ca4af-c48a-43e3-9aa2-79ff68ba7eaf\",\"panelRefName\":\"panel_4\",\"title\":\"Distribution of Consolidated Events by Graymail Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fc2be34f-5ce2-48cc-a36d-8102d13f888f\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"fc2be34f-5ce2-48cc-a36d-8102d13f888f\",\"panelRefName\":\"panel_5\",\"title\":\"Distribution of Consolidated Events by AMP Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a0228300-da78-48a7-9d70-cc93670887b5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"a0228300-da78-48a7-9d70-cc93670887b5\",\"panelRefName\":\"panel_6\",\"title\":\"Distribution of Consolidated Events by AS Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0e21c3d8-a107-4c45-bb9e-c91763054347\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"0e21c3d8-a107-4c45-bb9e-c91763054347\",\"panelRefName\":\"panel_7\",\"title\":\"Distribution of Consolidated Events by AV Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"466b3df7-c128-470a-b24e-c83257b58e86\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"466b3df7-c128-470a-b24e-c83257b58e86\",\"panelRefName\":\"panel_8\",\"title\":\"Distribution of Consolidated Events by DLP Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"dca786a1-5cf1-432b-b645-65378e3c4249\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"dca786a1-5cf1-432b-b645-65378e3c4249\",\"panelRefName\":\"panel_9\",\"title\":\"Distribution of Consolidated Events by Content Filters Verdict [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d895fb3d-f0c0-42b3-81c9-b41e0de21b8f\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d895fb3d-f0c0-42b3-81c9-b41e0de21b8f\",\"panelRefName\":\"panel_10\",\"title\":\"Top 10 Appliance Vendor [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab44d98a-a6f9-46db-93b5-8d982bb8164d\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"ab44d98a-a6f9-46db-93b5-8d982bb8164d\",\"panelRefName\":\"panel_11\",\"title\":\"Distribution of Consolidated Events by Message Final Action [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Consolidated Event", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b", + "name": "panel_5", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b", + "name": "panel_6", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b", + "name": "panel_7", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b", + "name": "panel_8", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b", + "name": "panel_9", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b", + "name": "panel_10", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b", + "name": "panel_11", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..5d3de9ff4f --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_secure_email_gateway.log.category.name\",\"negate\":false,\"params\":{\"query\":\"mail_logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_secure_email_gateway.log.category.name\":\"mail_logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"964bf5b0-a59e-4378-856a-850bdfbad7bc\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"964bf5b0-a59e-4378-856a-850bdfbad7bc\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of Text Mail Events by Severity [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a86df19f-3670-4f11-8c65-6f2a15ce360e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"a86df19f-3670-4f11-8c65-6f2a15ce360e\",\"panelRefName\":\"panel_1\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"61bc30e5-ddc7-4603-ae82-1b9da098f1be\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"61bc30e5-ddc7-4603-ae82-1b9da098f1be\",\"panelRefName\":\"panel_2\",\"title\":\"Distribution of Text Mail Events by Object Attribute [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"836dd851-3cec-4eb5-8995-651105e410f9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"836dd851-3cec-4eb5-8995-651105e410f9\",\"panelRefName\":\"panel_3\",\"title\":\"Distribution of Text Mail Events by Vendor Action [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"941b0a19-c57b-4888-bfc5-766bc30fe2fb\",\"w\":17,\"x\":0,\"y\":30},\"panelIndex\":\"941b0a19-c57b-4888-bfc5-766bc30fe2fb\",\"panelRefName\":\"panel_4\",\"title\":\"Distribution of Text Mail Events by Connection Status [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"c550d9bb-f49b-420d-a583-96785a91f1d4\",\"w\":15,\"x\":17,\"y\":30},\"panelIndex\":\"c550d9bb-f49b-420d-a583-96785a91f1d4\",\"panelRefName\":\"panel_5\",\"title\":\"Distribution of Text Mail Events by Message Status [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"9421e841-9470-45c7-a3d4-7d4130a5c758\",\"w\":16,\"x\":32,\"y\":30},\"panelIndex\":\"9421e841-9470-45c7-a3d4-7d4130a5c758\",\"panelRefName\":\"panel_6\",\"title\":\"Distribution of Text Mail Events by Network Protocol [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"acadb1ad-19bb-41e8-9c5e-7d62b4cf8f6c\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"acadb1ad-19bb-41e8-9c5e-7d62b4cf8f6c\",\"panelRefName\":\"panel_7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48a59710-7086-459f-abef-72604a666d20\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"48a59710-7086-459f-abef-72604a666d20\",\"panelRefName\":\"panel_8\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Text Mail", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b", + "name": "panel_5", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b", + "name": "panel_6", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b", + "name": "panel_7", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b", + "name": "panel_8", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..2088f9875c --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/dashboard/cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cisco_secure_email_gateway.log.category.name\",\"negate\":false,\"params\":{\"query\":\"bounces\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"cisco_secure_email_gateway.log.category.name\":\"bounces\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"639d7ded-5352-4627-beb3-eb311f3318d8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"639d7ded-5352-4627-beb3-eb311f3318d8\",\"panelRefName\":\"panel_0\",\"title\":\"Distribution of Bounce Events by Bounce Type [Logs Cisco Secure Email Gateway]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85d72fcb-35a5-469f-b27d-1fb5e82ca891\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"85d72fcb-35a5-469f-b27d-1fb5e82ca891\",\"panelRefName\":\"panel_1\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"645dd140-f2d1-4fe1-974e-d45f57bfb3a3\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"645dd140-f2d1-4fe1-974e-d45f57bfb3a3\",\"panelRefName\":\"panel_2\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"78094ff3-8433-4298-9b15-cde20f055619\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"78094ff3-8433-4298-9b15-cde20f055619\",\"panelRefName\":\"panel_3\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Bounce", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..e460db3f3a --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "dc14a7c6-0c0a-4d2d-9d1a-3ab5f9b79791": { + "columnOrder": [ + "775a45ba-8734-4350-9286-e0de448cbae2", + "e60ae8dd-f8ee-4d28-9051-64158ea09998" + ], + "columns": { + "775a45ba-8734-4350-9286-e0de448cbae2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object Attribute", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e60ae8dd-f8ee-4d28-9051-64158ea09998", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object_attr" + }, + "e60ae8dd-f8ee-4d28-9051-64158ea09998": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e60ae8dd-f8ee-4d28-9051-64158ea09998" + ], + "layerId": "dc14a7c6-0c0a-4d2d-9d1a-3ab5f9b79791", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "775a45ba-8734-4350-9286-e0de448cbae2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Text Mail Events by Object Attribute [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dc14a7c6-0c0a-4d2d-9d1a-3ab5f9b79791", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..7db2c4a09d --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ef2e966e-52e1-4aa5-97d4-4f415bd80272": { + "columnOrder": [ + "c60a5e2f-a5aa-47b7-964f-ade43eae9d5a", + "f4642514-e457-4c19-a2f4-802311e3a3fa" + ], + "columns": { + "c60a5e2f-a5aa-47b7-964f-ade43eae9d5a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Graymail Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f4642514-e457-4c19-a2f4-802311e3a3fa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.graymail_verdict" + }, + "f4642514-e457-4c19-a2f4-802311e3a3fa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c60a5e2f-a5aa-47b7-964f-ade43eae9d5a" + ], + "layerId": "ef2e966e-52e1-4aa5-97d4-4f415bd80272", + "layerType": "data", + "legendDisplay": "default", + "metric": "f4642514-e457-4c19-a2f4-802311e3a3fa", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Graymail Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef2e966e-52e1-4aa5-97d4-4f415bd80272", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..d620f86431 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d11b7b35-4452-4d96-aedb-cfa76248e087": { + "columnOrder": [ + "8ea28f8c-d6b1-4857-9581-6f6a2fd9a885", + "9d948240-967b-4c51-828f-3b950b5beca5" + ], + "columns": { + "8ea28f8c-d6b1-4857-9581-6f6a2fd9a885": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9d948240-967b-4c51-828f-3b950b5beca5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object_category" + }, + "9d948240-967b-4c51-828f-3b950b5beca5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"antispam\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "8ea28f8c-d6b1-4857-9581-6f6a2fd9a885" + ], + "layerId": "d11b7b35-4452-4d96-aedb-cfa76248e087", + "layerType": "data", + "legendDisplay": "default", + "metric": "9d948240-967b-4c51-828f-3b950b5beca5", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Anti-Spam Events by Object Category [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d11b7b35-4452-4d96-aedb-cfa76248e087", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..47197b71a2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8cc04732-d3e2-4b65-aeac-fee7492adee6": { + "columnOrder": [ + "64ec49a9-78fd-4cb4-8c2b-e183f50b0526", + "4b3854d5-8b24-4472-a3b3-e2484749d658" + ], + "columns": { + "4b3854d5-8b24-4472-a3b3-e2484749d658": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "64ec49a9-78fd-4cb4-8c2b-e183f50b0526": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4b3854d5-8b24-4472-a3b3-e2484749d658", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object_category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"content_scanner\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "64ec49a9-78fd-4cb4-8c2b-e183f50b0526" + ], + "layerId": "8cc04732-d3e2-4b65-aeac-fee7492adee6", + "layerType": "data", + "legendDisplay": "default", + "metric": "4b3854d5-8b24-4472-a3b3-e2484749d658", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Content Scanner Events by Object Category [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8cc04732-d3e2-4b65-aeac-fee7492adee6", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..3539373e34 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1f0830ca-67f7-48e3-8356-4495026c941d": { + "columnOrder": [ + "350b5032-a217-4f5b-afe2-13d5ed62a26e", + "6769baa6-3cdd-4ba5-a406-b5b10ae1a427" + ], + "columns": { + "350b5032-a217-4f5b-afe2-13d5ed62a26e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Appliance vendor", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6769baa6-3cdd-4ba5-a406-b5b10ae1a427", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.appliance.vendor" + }, + "6769baa6-3cdd-4ba5-a406-b5b10ae1a427": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "350b5032-a217-4f5b-afe2-13d5ed62a26e", + "isTransposed": false + }, + { + "columnId": "6769baa6-3cdd-4ba5-a406-b5b10ae1a427", + "isTransposed": false + } + ], + "layerId": "1f0830ca-67f7-48e3-8356-4495026c941d", + "layerType": "data" + } + }, + "title": "Top 10 Appliance vendor [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1f0830ca-67f7-48e3-8356-4495026c941d", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..f1b80ae6e0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0fcbd198-453c-4d42-9e5d-4920321e8cbb": { + "columnOrder": [ + "da5e80d9-05f2-4ffe-a208-fb3cb59702c7", + "63a10371-dab3-4bcc-8c94-9deb9ad801db" + ], + "columns": { + "63a10371-dab3-4bcc-8c94-9deb9ad801db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "da5e80d9-05f2-4ffe-a208-fb3cb59702c7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Listener Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "63a10371-dab3-4bcc-8c94-9deb9ad801db", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.direction" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "da5e80d9-05f2-4ffe-a208-fb3cb59702c7" + ], + "layerId": "0fcbd198-453c-4d42-9e5d-4920321e8cbb", + "layerType": "data", + "legendDisplay": "default", + "metric": "63a10371-dab3-4bcc-8c94-9deb9ad801db", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Listener Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0fcbd198-453c-4d42-9e5d-4920321e8cbb", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..4deaa68b80 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "6a329d99-3de7-4396-9481-07cff7118b75": { + "columnOrder": [ + "94df3128-28b6-4f27-897f-bcb44d3c7196", + "2eeef2a5-4721-49f0-bdf3-e39e05c95999" + ], + "columns": { + "2eeef2a5-4721-49f0-bdf3-e39e05c95999": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "94df3128-28b6-4f27-897f-bcb44d3c7196": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2eeef2a5-4721-49f0-bdf3-e39e05c95999", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"antispam\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "94df3128-28b6-4f27-897f-bcb44d3c7196" + ], + "layerId": "6a329d99-3de7-4396-9481-07cff7118b75", + "layerType": "data", + "legendDisplay": "default", + "metric": "2eeef2a5-4721-49f0-bdf3-e39e05c95999", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Anti-Spam Events by Object [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6a329d99-3de7-4396-9481-07cff7118b75", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..d79d70e84e --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f59bf14d-1826-4672-a636-96713e17bf3d": { + "columnOrder": [ + "c5045d93-c903-4f4f-a653-1ee275ee5f1f", + "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c" + ], + "columns": { + "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c5045d93-c903-4f4f-a653-1ee275ee5f1f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Bounce Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.bounce_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c5045d93-c903-4f4f-a653-1ee275ee5f1f" + ], + "layerId": "f59bf14d-1826-4672-a636-96713e17bf3d", + "layerType": "data", + "legendDisplay": "default", + "metric": "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Bounce Events by Bounce type [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f59bf14d-1826-4672-a636-96713e17bf3d", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..90b214a587 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "da50ed80-3cbc-4559-bef0-e3db5de2fb16": { + "columnOrder": [ + "2782b4e2-ba8c-4aaf-8747-8d7297b3ec41", + "722a910a-7f85-47f2-9eea-8a13c4faaed5" + ], + "columns": { + "2782b4e2-ba8c-4aaf-8747-8d7297b3ec41": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Malware Threat", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "722a910a-7f85-47f2-9eea-8a13c4faaed5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.malware" + }, + "722a910a-7f85-47f2-9eea-8a13c4faaed5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "2782b4e2-ba8c-4aaf-8747-8d7297b3ec41", + "isTransposed": false + }, + { + "columnId": "722a910a-7f85-47f2-9eea-8a13c4faaed5", + "isTransposed": false + } + ], + "layerId": "da50ed80-3cbc-4559-bef0-e3db5de2fb16", + "layerType": "data" + } + }, + "title": "Top 10 Malware Threat [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-da50ed80-3cbc-4559-bef0-e3db5de2fb16", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..7b640de955 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "78976d98-602b-49ed-9fad-c111e8dd5d9c": { + "columnOrder": [ + "1246cdaf-b072-4a40-9ecc-4f0a83910265", + "a46515d5-4b24-47ee-bb4e-673b0c46d4db" + ], + "columns": { + "1246cdaf-b072-4a40-9ecc-4f0a83910265": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DNS Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a46515d5-4b24-47ee-bb4e-673b0c46d4db", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "dns.question.name" + }, + "a46515d5-4b24-47ee-bb4e-673b0c46d4db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "1246cdaf-b072-4a40-9ecc-4f0a83910265", + "isTransposed": false + }, + { + "columnId": "a46515d5-4b24-47ee-bb4e-673b0c46d4db", + "isTransposed": false + } + ], + "layerId": "78976d98-602b-49ed-9fad-c111e8dd5d9c", + "layerType": "data" + } + }, + "title": "Top 10 DNS Host [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-78976d98-602b-49ed-9fad-c111e8dd5d9c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..c71cee27f9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "17b5a5b0-ab60-4ac9-918d-1471b17fc36a": { + "columnOrder": [ + "84b418b7-2bd5-473f-a0a9-6a15c5864123", + "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d" + ], + "columns": { + "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "84b418b7-2bd5-473f-a0a9-6a15c5864123": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DLP Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.dlp_verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "84b418b7-2bd5-473f-a0a9-6a15c5864123" + ], + "layerId": "17b5a5b0-ab60-4ac9-918d-1471b17fc36a", + "layerType": "data", + "legendDisplay": "default", + "metric": "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by DLP Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-17b5a5b0-ab60-4ac9-918d-1471b17fc36a", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..9d226eafa0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "deefc302-2a9c-4c62-8b64-db0656a1e201": { + "columnOrder": [ + "1a75a065-b075-4708-974f-e4460b593062", + "47d341a9-66d9-478c-83ed-faf1b8e6142f" + ], + "columns": { + "1a75a065-b075-4708-974f-e4460b593062": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Host IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "47d341a9-66d9-478c-83ed-faf1b8e6142f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.ip" + }, + "47d341a9-66d9-478c-83ed-faf1b8e6142f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "1a75a065-b075-4708-974f-e4460b593062", + "isTransposed": false + }, + { + "columnId": "47d341a9-66d9-478c-83ed-faf1b8e6142f", + "isTransposed": false + } + ], + "layerId": "deefc302-2a9c-4c62-8b64-db0656a1e201", + "layerType": "data" + } + }, + "title": "Top 10 Host IP [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-deefc302-2a9c-4c62-8b64-db0656a1e201", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..8889eb385a --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "818edf56-0abd-4454-a40a-9c48a9ccb60b": { + "columnOrder": [ + "30d4769c-2c7b-492d-bd13-dbd0be6331ae", + "4b2b840d-b0c8-4b5d-838a-6419d2679e57" + ], + "columns": { + "30d4769c-2c7b-492d-bd13-dbd0be6331ae": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4b2b840d-b0c8-4b5d-838a-6419d2679e57", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "4b2b840d-b0c8-4b5d-838a-6419d2679e57": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"error_logs\"" + }, + "visualization": { + "columns": [ + { + "columnId": "30d4769c-2c7b-492d-bd13-dbd0be6331ae", + "isTransposed": false + }, + { + "columnId": "4b2b840d-b0c8-4b5d-838a-6419d2679e57", + "isTransposed": false + } + ], + "layerId": "818edf56-0abd-4454-a40a-9c48a9ccb60b", + "layerType": "data" + } + }, + "title": "Top 10 Recipients [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-818edf56-0abd-4454-a40a-9c48a9ccb60b", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..36086672f1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "3580df6b-ad09-48fd-a1a5-82f760b16cdd": { + "columnOrder": [ + "eeafffce-6abd-40c9-9615-6707e18801b6", + "31ca0397-55c6-4109-a00c-b79e85754ffa" + ], + "columns": { + "31ca0397-55c6-4109-a00c-b79e85754ffa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "eeafffce-6abd-40c9-9615-6707e18801b6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "31ca0397-55c6-4109-a00c-b79e85754ffa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"authentication\"" + }, + "visualization": { + "columns": [ + { + "columnId": "eeafffce-6abd-40c9-9615-6707e18801b6", + "isTransposed": false + }, + { + "columnId": "31ca0397-55c6-4109-a00c-b79e85754ffa", + "isTransposed": false + } + ], + "layerId": "3580df6b-ad09-48fd-a1a5-82f760b16cdd", + "layerType": "data" + } + }, + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3580df6b-ad09-48fd-a1a5-82f760b16cdd", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..bc54edcab9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "42e2b65e-cb47-40bb-9c1b-57ffe421f4dc": { + "columnOrder": [ + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285", + "40ee8622-c392-4ec5-bc21-d912f381c282" + ], + "columns": { + "40ee8622-c392-4ec5-bc21-d912f381c282": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "40ee8622-c392-4ec5-bc21-d912f381c282", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.content_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285" + ], + "layerId": "42e2b65e-cb47-40bb-9c1b-57ffe421f4dc", + "layerType": "data", + "legendDisplay": "default", + "metric": "40ee8622-c392-4ec5-bc21-d912f381c282", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of AMP Engine Events by File Type [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-42e2b65e-cb47-40bb-9c1b-57ffe421f4dc", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..e9393c183d --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b6923de3-cac2-47e3-b36f-2bd1f4821098": { + "columnOrder": [ + "2002d5eb-0345-4f25-88e9-cac1c904bc99", + "d61dcbdd-2a90-4b16-85f1-070dc0ba109d" + ], + "columns": { + "2002d5eb-0345-4f25-88e9-cac1c904bc99": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d61dcbdd-2a90-4b16-85f1-070dc0ba109d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "d61dcbdd-2a90-4b16-85f1-070dc0ba109d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"system\"" + }, + "visualization": { + "columns": [ + { + "columnId": "2002d5eb-0345-4f25-88e9-cac1c904bc99", + "isTransposed": false + }, + { + "columnId": "d61dcbdd-2a90-4b16-85f1-070dc0ba109d", + "isTransposed": false + } + ], + "layerId": "b6923de3-cac2-47e3-b36f-2bd1f4821098", + "layerType": "data" + } + }, + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b6923de3-cac2-47e3-b36f-2bd1f4821098", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..69fc6693fb --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "11172da2-6f42-47a4-b1f4-cdbf8afdedd0": { + "columnOrder": [ + "567678aa-a7e3-4e65-93eb-68015622fc6a", + "4ce98a9d-67cd-44cc-96b8-b3d08f750b84" + ], + "columns": { + "4ce98a9d-67cd-44cc-96b8-b3d08f750b84": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "567678aa-a7e3-4e65-93eb-68015622fc6a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "AV Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4ce98a9d-67cd-44cc-96b8-b3d08f750b84", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.av_verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "567678aa-a7e3-4e65-93eb-68015622fc6a" + ], + "layerId": "11172da2-6f42-47a4-b1f4-cdbf8afdedd0", + "layerType": "data", + "legendDisplay": "default", + "metric": "4ce98a9d-67cd-44cc-96b8-b3d08f750b84", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by AV Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-11172da2-6f42-47a4-b1f4-cdbf8afdedd0", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..4db14e271e --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8b6d5f6d-b1c9-4860-917a-ecac06f34b10": { + "columnOrder": [ + "a3111dae-5b02-4296-88ff-61197bd0f3f9", + "c3597c7d-4468-4194-8f2d-a453ced98438" + ], + "columns": { + "a3111dae-5b02-4296-88ff-61197bd0f3f9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Mime Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c3597c7d-4468-4194-8f2d-a453ced98438", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.attachments.file.mime_type" + }, + "c3597c7d-4468-4194-8f2d-a453ced98438": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "a3111dae-5b02-4296-88ff-61197bd0f3f9" + ], + "layerId": "8b6d5f6d-b1c9-4860-917a-ecac06f34b10", + "layerType": "data", + "legendDisplay": "default", + "metric": "c3597c7d-4468-4194-8f2d-a453ced98438", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of AMP Engine Events by File MIME Type [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8b6d5f6d-b1c9-4860-917a-ecac06f34b10", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..1ddc45965a --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0c19b962-3c1b-47bd-b455-08fe74f0d713": { + "columnOrder": [ + "5633dc67-ee99-44e0-9fc9-1eeb069871a7", + "df66b654-83dc-4985-830d-a241adefbc2c" + ], + "columns": { + "5633dc67-ee99-44e0-9fc9-1eeb069871a7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Outcome", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "df66b654-83dc-4985-830d-a241adefbc2c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + }, + "df66b654-83dc-4985-830d-a241adefbc2c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"authentication\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "5633dc67-ee99-44e0-9fc9-1eeb069871a7" + ], + "layerId": "0c19b962-3c1b-47bd-b455-08fe74f0d713", + "layerType": "data", + "legendDisplay": "default", + "metric": "df66b654-83dc-4985-830d-a241adefbc2c", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Authentication Events by Outcome [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0c19b962-3c1b-47bd-b455-08fe74f0d713", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..0e6fb078df --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5283a6c5-2dfa-4758-99c0-567b3c5b187c": { + "columnOrder": [ + "c606b455-7a81-4667-9520-2ae212768375", + "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe" + ], + "columns": { + "c606b455-7a81-4667-9520-2ae212768375": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sender", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.from.address" + }, + "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "c606b455-7a81-4667-9520-2ae212768375", + "isTransposed": false + }, + { + "columnId": "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe", + "isTransposed": false + } + ], + "layerId": "5283a6c5-2dfa-4758-99c0-567b3c5b187c", + "layerType": "data" + } + }, + "title": "Top 10 Sender [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5283a6c5-2dfa-4758-99c0-567b3c5b187c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..d5a2aa2d81 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "57751ffc-a4b1-4c64-88ce-1e692814b206": { + "columnOrder": [ + "23017c0a-ce72-475c-a40c-9f98f6036ea5", + "43da0051-67fe-4cab-9dcd-acd44e8eede1" + ], + "columns": { + "23017c0a-ce72-475c-a40c-9f98f6036ea5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "43da0051-67fe-4cab-9dcd-acd44e8eede1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "43da0051-67fe-4cab-9dcd-acd44e8eede1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "23017c0a-ce72-475c-a40c-9f98f6036ea5", + "isTransposed": false + }, + { + "columnId": "43da0051-67fe-4cab-9dcd-acd44e8eede1", + "isTransposed": false + } + ], + "layerId": "57751ffc-a4b1-4c64-88ce-1e692814b206", + "layerType": "data" + } + }, + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-57751ffc-a4b1-4c64-88ce-1e692814b206", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..cab94ac252 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "28922e0d-d6e4-4a94-95f2-102ec6f181ac": { + "columnOrder": [ + "8a344e0b-f642-4c42-b815-60433dfbfbb9", + "c229ce5c-eb61-4540-853d-6cc2098ca1d2" + ], + "columns": { + "8a344e0b-f642-4c42-b815-60433dfbfbb9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c229ce5c-eb61-4540-853d-6cc2098ca1d2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.vendor_action" + }, + "c229ce5c-eb61-4540-853d-6cc2098ca1d2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "8a344e0b-f642-4c42-b815-60433dfbfbb9" + ], + "layerId": "28922e0d-d6e4-4a94-95f2-102ec6f181ac", + "layerType": "data", + "legendDisplay": "default", + "metric": "c229ce5c-eb61-4540-853d-6cc2098ca1d2", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Vendor Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-28922e0d-d6e4-4a94-95f2-102ec6f181ac", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..0cfe5a5b8d --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0c3a1ff3-eb26-42fd-8196-49c12251bd49": { + "columnOrder": [ + "cebc1213-bb3f-4000-b747-5f0b0c608b4b", + "e1416011-657e-40b0-9af8-ff3bcbdf0617" + ], + "columns": { + "cebc1213-bb3f-4000-b747-5f0b0c608b4b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Agent Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e1416011-657e-40b0-9af8-ff3bcbdf0617", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.name" + }, + "e1416011-657e-40b0-9af8-ff3bcbdf0617": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "cebc1213-bb3f-4000-b747-5f0b0c608b4b" + ], + "layerId": "0c3a1ff3-eb26-42fd-8196-49c12251bd49", + "layerType": "data", + "legendDisplay": "default", + "metric": "e1416011-657e-40b0-9af8-ff3bcbdf0617", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of GUI Events by User Agent Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0c3a1ff3-eb26-42fd-8196-49c12251bd49", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..d665143dc6 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "58c79990-e129-4e1d-a7c5-2f663c86109f": { + "columnOrder": [ + "7e1dc911-a513-41bd-9e56-5366699d06e0", + "9a441fcb-5153-497e-85dc-6d3efb3b54cc", + "1abb990c-1e38-4ba3-b160-b0cea323aefc" + ], + "columns": { + "1abb990c-1e38-4ba3-b160-b0cea323aefc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7e1dc911-a513-41bd-9e56-5366699d06e0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1abb990c-1e38-4ba3-b160-b0cea323aefc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.name" + }, + "9a441fcb-5153-497e-85dc-6d3efb3b54cc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Version", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1abb990c-1e38-4ba3-b160-b0cea323aefc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.version" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7e1dc911-a513-41bd-9e56-5366699d06e0", + "9a441fcb-5153-497e-85dc-6d3efb3b54cc" + ], + "layerId": "58c79990-e129-4e1d-a7c5-2f663c86109f", + "layerType": "data", + "legendDisplay": "default", + "metric": "1abb990c-1e38-4ba3-b160-b0cea323aefc", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of GUI Events by OS, OS Version [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-58c79990-e129-4e1d-a7c5-2f663c86109f", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..f630fb9348 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "52251872-020b-4855-9c01-fbebd4df0064": { + "columnOrder": [ + "585842e9-697b-43a6-99cb-e905245ce2e2", + "1c89cec4-799f-407c-a53c-d4f2332d7966" + ], + "columns": { + "1c89cec4-799f-407c-a53c-d4f2332d7966": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "585842e9-697b-43a6-99cb-e905245ce2e2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1c89cec4-799f-407c-a53c-d4f2332d7966", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "585842e9-697b-43a6-99cb-e905245ce2e2" + ], + "layerId": "52251872-020b-4855-9c01-fbebd4df0064", + "layerType": "data", + "legendDisplay": "default", + "metric": "1c89cec4-799f-407c-a53c-d4f2332d7966", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of AMP Engine Events by Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-52251872-020b-4855-9c01-fbebd4df0064", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..c40fe6807a --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9d0f1c67-8726-4c33-8c99-5c6616fd273c": { + "columnOrder": [ + "1e49a823-db00-4ed1-bdfd-63c58746120c", + "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0" + ], + "columns": { + "1e49a823-db00-4ed1-bdfd-63c58746120c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "AMP Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.amp_verdict" + }, + "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1e49a823-db00-4ed1-bdfd-63c58746120c" + ], + "layerId": "9d0f1c67-8726-4c33-8c99-5c6616fd273c", + "layerType": "data", + "legendDisplay": "default", + "metric": "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by AMP Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9d0f1c67-8726-4c33-8c99-5c6616fd273c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..939c91d10c --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "cc97ded6-1926-428a-a6d3-d13b3b47b8ba": { + "columnOrder": [ + "50f68a81-af9c-4a46-8f31-49957891f03e", + "536e9932-8f25-4096-a1f1-cc40da5e099b" + ], + "columns": { + "50f68a81-af9c-4a46-8f31-49957891f03e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Spy Name ", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "536e9932-8f25-4096-a1f1-cc40da5e099b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.spy_name" + }, + "536e9932-8f25-4096-a1f1-cc40da5e099b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "50f68a81-af9c-4a46-8f31-49957891f03e", + "isTransposed": false + }, + { + "columnId": "536e9932-8f25-4096-a1f1-cc40da5e099b", + "isTransposed": false + } + ], + "layerId": "cc97ded6-1926-428a-a6d3-d13b3b47b8ba", + "layerType": "data" + } + }, + "title": "Top 10 Spy Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cc97ded6-1926-428a-a6d3-d13b3b47b8ba", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..216d522978 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "316330ba-0c74-48a8-a005-a83d62b22825": { + "columnOrder": [ + "49ecc95f-4e3e-4886-b6a9-f877f37aa93d", + "190364eb-0f7a-4409-b39e-761d5f9bd865" + ], + "columns": { + "190364eb-0f7a-4409-b39e-761d5f9bd865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "49ecc95f-4e3e-4886-b6a9-f877f37aa93d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Response Status Code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "190364eb-0f7a-4409-b39e-761d5f9bd865", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "190364eb-0f7a-4409-b39e-761d5f9bd865" + ], + "layerId": "316330ba-0c74-48a8-a005-a83d62b22825", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "49ecc95f-4e3e-4886-b6a9-f877f37aa93d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of GUI Events by Response Status Code [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-316330ba-0c74-48a8-a005-a83d62b22825", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..6f032319d4 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "fe14132b-14b3-40e4-9b9e-7c4b3d3d2b77": { + "columnOrder": [ + "764bb009-19ef-4869-aa16-a7eb988b2fa5", + "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565" + ], + "columns": { + "764bb009-19ef-4869-aa16-a7eb988b2fa5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Mail Flow Policy Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.mail_flow_policy" + }, + "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "764bb009-19ef-4869-aa16-a7eb988b2fa5" + }, + { + "columnId": "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565" + } + ], + "layerId": "fe14132b-14b3-40e4-9b9e-7c4b3d3d2b77", + "layerType": "data" + } + }, + "title": "Top 10 Mail Flow Policy Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fe14132b-14b3-40e4-9b9e-7c4b3d3d2b77", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..02cd38abc3 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d10ac2c6-458d-45cf-95cd-b75b40a3cc6b": { + "columnOrder": [ + "c6d33863-6a91-474c-891b-0a0930325222", + "08f66015-bfdb-489f-aea0-65ba4323e2f0" + ], + "columns": { + "08f66015-bfdb-489f-aea0-65ba4323e2f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c6d33863-6a91-474c-891b-0a0930325222": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "08f66015-bfdb-489f-aea0-65ba4323e2f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.alert_category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"error_logs\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08f66015-bfdb-489f-aea0-65ba4323e2f0" + ], + "layerId": "d10ac2c6-458d-45cf-95cd-b75b40a3cc6b", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "c6d33863-6a91-474c-891b-0a0930325222" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Error Events by Alert Category [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d10ac2c6-458d-45cf-95cd-b75b40a3cc6b", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..00dc67a9a3 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e1b7b06d-61e8-4cfa-801f-e3bc0b1fa441": { + "columnOrder": [ + "79fb3bd8-2d7a-461e-8c28-0f8bec664fd8", + "9e9261cd-f646-4a17-acf9-b6fb69bf03e2" + ], + "columns": { + "79fb3bd8-2d7a-461e-8c28-0f8bec664fd8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9e9261cd-f646-4a17-acf9-b6fb69bf03e2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object" + }, + "9e9261cd-f646-4a17-acf9-b6fb69bf03e2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "columns": [ + { + "columnId": "79fb3bd8-2d7a-461e-8c28-0f8bec664fd8" + }, + { + "columnId": "9e9261cd-f646-4a17-acf9-b6fb69bf03e2" + } + ], + "layerId": "e1b7b06d-61e8-4cfa-801f-e3bc0b1fa441", + "layerType": "data" + } + }, + "title": "Top 10 Object [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e1b7b06d-61e8-4cfa-801f-e3bc0b1fa441", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..5f27776ac4 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "779692f9-3e0c-4c4b-833f-ab67b6d44a95": { + "columnOrder": [ + "011d4b64-1db3-447f-896e-a198dd74186c", + "ae49f917-e61b-4cd6-b8fc-998b0802347d" + ], + "columns": { + "011d4b64-1db3-447f-896e-a198dd74186c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ae49f917-e61b-4cd6-b8fc-998b0802347d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.severity" + }, + "ae49f917-e61b-4cd6-b8fc-998b0802347d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "011d4b64-1db3-447f-896e-a198dd74186c" + ], + "layerId": "779692f9-3e0c-4c4b-833f-ab67b6d44a95", + "layerType": "data", + "legendDisplay": "default", + "metric": "ae49f917-e61b-4cd6-b8fc-998b0802347d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Severity [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-779692f9-3e0c-4c4b-833f-ab67b6d44a95", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..b973ea612c --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1aef4ea3-e481-42a1-b355-8c667e236324": { + "columnOrder": [ + "50a245e4-241d-429f-b5c4-c7144eb4f76c", + "0ec405bd-21bc-49e3-a131-7e54edae86db" + ], + "columns": { + "0ec405bd-21bc-49e3-a131-7e54edae86db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "50a245e4-241d-429f-b5c4-c7144eb4f76c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Receiver", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0ec405bd-21bc-49e3-a131-7e54edae86db", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "50a245e4-241d-429f-b5c4-c7144eb4f76c", + "isTransposed": false + }, + { + "columnId": "0ec405bd-21bc-49e3-a131-7e54edae86db", + "isTransposed": false + } + ], + "layerId": "1aef4ea3-e481-42a1-b355-8c667e236324", + "layerType": "data" + } + }, + "title": "Top 10 Receiver [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1aef4ea3-e481-42a1-b355-8c667e236324", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..c13396de23 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4315e942-ba49-474d-af76-6710ec550ad6": { + "columnOrder": [ + "e083e8f2-9f3a-4a86-9da1-5d14ac1653db", + "08e67d54-9697-4721-9ddc-ac4846ab92e6" + ], + "columns": { + "08e67d54-9697-4721-9ddc-ac4846ab92e6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e083e8f2-9f3a-4a86-9da1-5d14ac1653db": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Message Final Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "08e67d54-9697-4721-9ddc-ac4846ab92e6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.act" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08e67d54-9697-4721-9ddc-ac4846ab92e6" + ], + "layerId": "4315e942-ba49-474d-af76-6710ec550ad6", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "e083e8f2-9f3a-4a86-9da1-5d14ac1653db" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Consolidated Events by Message Final Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4315e942-ba49-474d-af76-6710ec550ad6", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..c98712fcfb --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "266b7fe0-231d-4c2a-973a-fc88a87f6b0e": { + "columnOrder": [ + "65aa90e8-5709-41df-aa29-56880e3b66a3", + "a2f6bdea-fd70-4b8d-9452-416c7b5840c7" + ], + "columns": { + "65aa90e8-5709-41df-aa29-56880e3b66a3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Helo Domain IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a2f6bdea-fd70-4b8d-9452-416c7b5840c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.helo.ip" + }, + "a2f6bdea-fd70-4b8d-9452-416c7b5840c7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "65aa90e8-5709-41df-aa29-56880e3b66a3", + "isTransposed": false + }, + { + "columnId": "a2f6bdea-fd70-4b8d-9452-416c7b5840c7", + "isTransposed": false + } + ], + "layerId": "266b7fe0-231d-4c2a-973a-fc88a87f6b0e", + "layerType": "data" + } + }, + "title": "Top 10 Helo Domain IP [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-266b7fe0-231d-4c2a-973a-fc88a87f6b0e", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..7170eb2ef8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "aba8c8ac-6e7f-4be4-8ea7-adb3c00a711f": { + "columnOrder": [ + "d67f2de8-71ad-40c1-97da-732f12742c77", + "7599b0e8-574e-48da-8274-d0c65d2ee992" + ], + "columns": { + "7599b0e8-574e-48da-8274-d0c65d2ee992": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d67f2de8-71ad-40c1-97da-732f12742c77": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "AS Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7599b0e8-574e-48da-8274-d0c65d2ee992", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.as_verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "d67f2de8-71ad-40c1-97da-732f12742c77" + ], + "layerId": "aba8c8ac-6e7f-4be4-8ea7-adb3c00a711f", + "layerType": "data", + "legendDisplay": "default", + "metric": "7599b0e8-574e-48da-8274-d0c65d2ee992", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by AS Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-aba8c8ac-6e7f-4be4-8ea7-adb3c00a711f", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54.json new file mode 100755 index 0000000000..2e0fc32ada --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "92246eb5-8cb8-441e-b9fe-ff56c6ff0997": { + "columnOrder": [ + "172c29b9-e8bc-48f2-aa9c-796d076a7895", + "5ea232ac-12df-4c6e-af79-0d1b41d3e34c" + ], + "columns": { + "172c29b9-e8bc-48f2-aa9c-796d076a7895": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Request", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5ea232ac-12df-4c6e-af79-0d1b41d3e34c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + }, + "5ea232ac-12df-4c6e-af79-0d1b41d3e34c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "5ea232ac-12df-4c6e-af79-0d1b41d3e34c" + ], + "layerId": "92246eb5-8cb8-441e-b9fe-ff56c6ff0997", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "172c29b9-e8bc-48f2-aa9c-796d076a7895" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of GUI Events by Request [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-92246eb5-8cb8-441e-b9fe-ff56c6ff0997", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..758185c2e5 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "103310a0-a5d9-4d8c-b1da-a8c57e13a563": { + "columnOrder": [ + "76d8af3a-1ff0-49d6-91a8-0b1cc16ce6fa", + "1a58cfa2-a182-4a3f-8636-14e9474aa0ea" + ], + "columns": { + "1a58cfa2-a182-4a3f-8636-14e9474aa0ea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "76d8af3a-1ff0-49d6-91a8-0b1cc16ce6fa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Connection Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1a58cfa2-a182-4a3f-8636-14e9474aa0ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.connection_status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "76d8af3a-1ff0-49d6-91a8-0b1cc16ce6fa" + ], + "layerId": "103310a0-a5d9-4d8c-b1da-a8c57e13a563", + "layerType": "data", + "legendDisplay": "default", + "metric": "1a58cfa2-a182-4a3f-8636-14e9474aa0ea", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Connection Status [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-103310a0-a5d9-4d8c-b1da-a8c57e13a563", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..030aac998a --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d9f68bb4-618e-4b30-814c-201e302ee9c9": { + "columnOrder": [ + "869adebc-36ff-411a-b8c0-b324b1faa097", + "e91fac87-d093-46e6-8ca9-65ed84915897" + ], + "columns": { + "869adebc-36ff-411a-b8c0-b324b1faa097": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Reason", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e91fac87-d093-46e6-8ca9-65ed84915897", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.reason" + }, + "e91fac87-d093-46e6-8ca9-65ed84915897": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "869adebc-36ff-411a-b8c0-b324b1faa097" + }, + { + "columnId": "e91fac87-d093-46e6-8ca9-65ed84915897" + } + ], + "layerId": "d9f68bb4-618e-4b30-814c-201e302ee9c9", + "layerType": "data" + } + }, + "title": "Top 10 Reason [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d9f68bb4-618e-4b30-814c-201e302ee9c9", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..7314563472 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "29be06db-aa85-4914-8578-266c2829069c": { + "columnOrder": [ + "4b6916be-5bf4-49da-80ec-16fab2491238", + "d135bce7-6aed-4a4b-9550-6d1bcfa5b134" + ], + "columns": { + "4b6916be-5bf4-49da-80ec-16fab2491238": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d135bce7-6aed-4a4b-9550-6d1bcfa5b134", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.vendor_action" + }, + "d135bce7-6aed-4a4b-9550-6d1bcfa5b134": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"content_scanner\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "4b6916be-5bf4-49da-80ec-16fab2491238" + ], + "layerId": "29be06db-aa85-4914-8578-266c2829069c", + "layerType": "data", + "legendDisplay": "default", + "metric": "d135bce7-6aed-4a4b-9550-6d1bcfa5b134", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Content Scanner Events by Vendor Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-29be06db-aa85-4914-8578-266c2829069c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..d4bc745225 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "28af0ace-bcd2-4e99-89aa-b01cac4be65f": { + "columnOrder": [ + "a5bedf0e-5e8a-4fb3-9be5-0980e2e39cca", + "02da5f04-8364-4341-b24b-4e381bde6404" + ], + "columns": { + "02da5f04-8364-4341-b24b-4e381bde6404": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "a5bedf0e-5e8a-4fb3-9be5-0980e2e39cca": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Receiver", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "02da5f04-8364-4341-b24b-4e381bde6404", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "columns": [ + { + "columnId": "a5bedf0e-5e8a-4fb3-9be5-0980e2e39cca", + "isTransposed": false + }, + { + "columnId": "02da5f04-8364-4341-b24b-4e381bde6404", + "isTransposed": false + } + ], + "layerId": "28af0ace-bcd2-4e99-89aa-b01cac4be65f", + "layerType": "data" + } + }, + "title": "Top 10 Receivers [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-28af0ace-bcd2-4e99-89aa-b01cac4be65f", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..3eacd71441 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "209d92c9-a130-4ba9-8e21-35662ea8c98e": { + "columnOrder": [ + "1a4f6e44-23c6-4726-988a-6706f595eda1", + "6fa0fc6c-efc2-42b1-96a1-78623735199e" + ], + "columns": { + "1a4f6e44-23c6-4726-988a-6706f595eda1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Upload Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6fa0fc6c-efc2-42b1-96a1-78623735199e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.upload.action" + }, + "6fa0fc6c-efc2-42b1-96a1-78623735199e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6fa0fc6c-efc2-42b1-96a1-78623735199e" + ], + "layerId": "209d92c9-a130-4ba9-8e21-35662ea8c98e", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "1a4f6e44-23c6-4726-988a-6706f595eda1" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of AMP Engine Events by Upload Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-209d92c9-a130-4ba9-8e21-35662ea8c98e", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..44aa491de9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "cd41a4ab-14cf-4d2d-b6b1-d02e3d1ee5a4": { + "columnOrder": [ + "90afc0e9-dee1-46ee-8e96-31602ed929cb", + "f0096080-5bb8-4acd-b43d-a5d459fbae24" + ], + "columns": { + "90afc0e9-dee1-46ee-8e96-31602ed929cb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Protocol", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f0096080-5bb8-4acd-b43d-a5d459fbae24", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "f0096080-5bb8-4acd-b43d-a5d459fbae24": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "90afc0e9-dee1-46ee-8e96-31602ed929cb" + ], + "layerId": "cd41a4ab-14cf-4d2d-b6b1-d02e3d1ee5a4", + "layerType": "data", + "legendDisplay": "default", + "metric": "f0096080-5bb8-4acd-b43d-a5d459fbae24", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Network Protocol [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cd41a4ab-14cf-4d2d-b6b1-d02e3d1ee5a4", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..3a0a7570ec --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "cd9e61a8-35d1-4605-b150-d09bf82d3f00": { + "columnOrder": [ + "11d65fa4-175f-4cf6-8886-d85e8a9ed8f5", + "31cee9bf-5352-45fa-8574-6cec1a2790c3" + ], + "columns": { + "11d65fa4-175f-4cf6-8886-d85e8a9ed8f5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Content Filters Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "31cee9bf-5352-45fa-8574-6cec1a2790c3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.content_filter_verdict" + }, + "31cee9bf-5352-45fa-8574-6cec1a2790c3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "11d65fa4-175f-4cf6-8886-d85e8a9ed8f5" + ], + "layerId": "cd9e61a8-35d1-4605-b150-d09bf82d3f00", + "layerType": "data", + "legendDisplay": "default", + "metric": "31cee9bf-5352-45fa-8574-6cec1a2790c3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Content Filters Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cd9e61a8-35d1-4605-b150-d09bf82d3f00", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..622bfe4ae2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5534c705-73de-4482-818b-4b48acea0af1": { + "columnOrder": [ + "11a0d6ef-3389-4d51-9658-7ae3d39462a8", + "50ecfbc3-6f73-409e-8445-c8254e49b032" + ], + "columns": { + "11a0d6ef-3389-4d51-9658-7ae3d39462a8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Outbreak Filters Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "50ecfbc3-6f73-409e-8445-c8254e49b032", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.outbreak_filter_verdict" + }, + "50ecfbc3-6f73-409e-8445-c8254e49b032": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "11a0d6ef-3389-4d51-9658-7ae3d39462a8" + ], + "layerId": "5534c705-73de-4482-818b-4b48acea0af1", + "layerType": "data", + "legendDisplay": "default", + "metric": "50ecfbc3-6f73-409e-8445-c8254e49b032", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Outbreak Filters Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5534c705-73de-4482-818b-4b48acea0af1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b.json new file mode 100755 index 0000000000..b59e622a5b --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/lens/cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "71b0750f-93db-4016-9294-b408f583b750": { + "columnOrder": [ + "13a1a6db-99d0-4b3d-a4cb-81539ecc9e0b", + "45bb21c7-aa5f-4d67-a537-c878b32f0f23" + ], + "columns": { + "13a1a6db-99d0-4b3d-a4cb-81539ecc9e0b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Message Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "45bb21c7-aa5f-4d67-a537-c878b32f0f23", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.message_status" + }, + "45bb21c7-aa5f-4d67-a537-c878b32f0f23": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "13a1a6db-99d0-4b3d-a4cb-81539ecc9e0b" + ], + "layerId": "71b0750f-93db-4016-9294-b408f583b750", + "layerType": "data", + "legendDisplay": "default", + "metric": "45bb21c7-aa5f-4d67-a537-c878b32f0f23", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Message Status [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-71b0750f-93db-4016-9294-b408f583b750", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..47fb3f3ce2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "Quarantine Process Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"867a9950-5f15-460a-98b4-9bb0eeec0d8d\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"e6a4bd49-6b02-49dc-8204-b4e4cee693b0\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.quarantine.load\",\"id\":\"ad8aab01-a047-4608-9587-73f25a02c850\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Quarantine Process Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..6f8e2d7b1c --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "CASE Scanning Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1ca757e4-9986-4109-82f8-a18e8f68cd35\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9ea79ff-857a-4c19-8864-dd32d5ecb80d\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.case_ld\",\"id\":\"633c2888-96a2-4c24-a93b-e647ced942ed\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"CASE Scanning Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..a4f561f685 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "CPU Utilization Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"1af71592-86d8-4efb-b424-d6ecf7944ace\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b509ab9e-7f7b-44f2-8ee6-258b88e17dfa\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.cpu.utilization\",\"id\":\"4deb212e-daed-4c60-b947-aa33baeaa2a9\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cisco_secure_email_gateway.log.cpu.utilization\",\"terms_order_by\":\"_count\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"CPU Utilization Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..eb5e981def --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "Disk I/O Utilization Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"ba00a756-2315-4580-8c44-8daa6a4fe42c\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a579bc05-7302-4698-a465-cc9c33326c93\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.disk_io\",\"id\":\"bfc3259d-32c5-4aea-9581-14ae6945e2b0\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Disk I/O Utilization Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..b23acaa362 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "Reporting Process Over Time [Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"706b3574-bdb3-4b5e-b60c-535ecba9d3ea\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"6a5040fa-12e2-4a8f-a1da-51c6a6dcf2cb\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.reporting_load\",\"id\":\"4c616f23-37ef-433f-9642-8bf6502b479a\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Reporting Process Over Time [Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..80c7bffdbf --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "Ram Utilization Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"f3f0956a-14bb-45c8-b03d-9bae49240821\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"cbb2c4b6-0c49-4fc3-814e-68a7c117ad7b\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.ram.utilization\",\"id\":\"d665c81d-8a7d-48fd-9ff4-697bbd4dbceb\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Ram Utilization Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..4d620909f0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "McAfee Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"0f2aec48-9a36-4fe0-a4ad-5922a129b4c3\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"2c4e6b49-e60c-4d4d-b2c4-c443928f93d7\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.mcafee_ld\",\"id\":\"4a343f0d-2f6d-437d-a702-9707ee05de91\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"McAfee Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a.json new file mode 100755 index 0000000000..78d9222729 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/kibana/visualization/cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"cisco_secure_email_gateway.log\\\"\"}}" + }, + "title": "Sophos Anti-Virus Scanning Over Time [Cisco Secure Email Gateway]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"e8547150-1b72-456e-abb0-1f63a4c82e4a\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"id\":\"4e1b5734-d731-4efe-85f7-cb7a6812819b\",\"label\":\"Count\",\"line_width\":1,\"metrics\":[{\"field\":\"cisco_secure_email_gateway.log.sophos_ld\",\"id\":\"5b85a7fb-52f0-4f23-a808-07a23ae8157d\",\"type\":\"avg\"}],\"override_index_pattern\":0,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"series_drop_last_bucket\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Sophos Anti-Virus Scanning Over Time [Cisco Secure Email Gateway]\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/1.0.1/manifest.yml b/packages/cisco_secure_email_gateway/1.0.1/manifest.yml new file mode 100755 index 0000000000..614abb46b4 --- /dev/null +++ b/packages/cisco_secure_email_gateway/1.0.1/manifest.yml @@ -0,0 +1,38 @@ +format_version: 1.0.0 +name: cisco_secure_email_gateway +title: Cisco Secure Email Gateway +version: "1.0.1" +license: basic +description: Collect logs from Cisco Secure Email Gateway with Elastic Agent. +type: integration +categories: + - security +release: ga +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/cisco-secure-email-gateway-screenshot.png + title: Cisco Secure Email Gateway dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/cisco-logo.svg + title: Cisco logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Cisco Secure Email Gateway + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs. + inputs: + - type: logfile + title: Collect logs from Cisco Secure Email Gateway instances + description: Collecting Cisco Secure Email Gateway logs. + - type: tcp + title: Collect Cisco Secure Email Gateway logs via TCP input + description: Collecting Cisco Secure Email Gateway logs via TCP input. + - type: udp + title: Collect Cisco Secure Email Gateway logs via UDP input + description: Collecting Cisco Secure Email Gateway logs via UDP input. +owner: + github: elastic/security-external-integrations diff --git a/packages/cisco_secure_endpoint/2.6.2/LICENSE.txt b/packages/cisco_secure_endpoint/2.6.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cisco_secure_endpoint/2.6.2/changelog.yml b/packages/cisco_secure_endpoint/2.6.2/changelog.yml new file mode 100755 index 0000000000..e01348b25b --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/changelog.yml @@ -0,0 +1,104 @@ +# newer versions go on top +- version: "2.6.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4400 +- version: "2.6.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.6.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3843 +- version: "2.5.2" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "2.5.1" + changes: + - description: Fix rate limit reset time. + type: bugfix + link: https://github.com/elastic/integrations/pull/3558 +- version: "2.5.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.4.1" + changes: + - description: update read me with link to vendor documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3225 +- version: "2.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2778 +- version: "2.3.1" + changes: + - description: Fix typo in config template for ignoring host enrichment + type: bugfix + link: https://github.com/elastic/integrations/pull/3092 +- version: "2.3.0" + changes: + - description: Ensure pagination exits correctly and remove possible host fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2915 +- version: "2.2.0" + changes: + - description: Fix propagation of information from host.name. + type: enhancement + link: https://github.com/elastic/integrations/pull/2915 +- version: "2.1.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "2.1.0" + changes: + - description: Adding possibility to extract host and user data if possible. + type: enhancement + link: https://github.com/elastic/integrations/pull/2888 +- version: "2.0.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2395 + - description: Normalize MAC address; replace host.user.name with user.name + type: breaking-change + link: https://github.com/elastic/integrations/pull/2395 +- version: "1.0.0" + changes: + - description: GA integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2360 +- version: "0.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2253 +- version: "0.1.1" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1958 +- version: "0.1.0" + changes: + - description: Initial migration from Filebeat Module + type: enhancement + link: https://github.com/elastic/integrations/pull/1645 diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..55ae33cddf --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/agent/stream/httpjson.yml.hbs @@ -0,0 +1,59 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +request.url: {{ url }} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +auth.basic.user: {{ client_id }} +auth.basic.password: {{ api_key }} + +request.transforms: +- set: + target: url.params.start_date + value: '[[.cursor.timestamp]]' + default: '[[ formatDate (now (parseDuration "-{{ initial_interval }}")) "2006-01-02T15:04:05-07:00" ]]' +- set: + target: url.params.limit + value: {{ limit }} + +request.rate_limit.limit: '[[ .last_response.header.Get "X-Rate-Limit-Limit" ]]' +request.rate_limit.early_limit: 1 +request.rate_limit.reset: '[[ add (toInt (.last_response.header.Get "X-Rate-Limit-Reset")) ((now).Unix) ]]' +request.rate_limit.remaining: '[[ .last_response.header.Get "X-Rate-Limit-Remaining" ]]' + +response.split: + target: body.data + keep_parent: true + +response.pagination: +- set: + target: url.value + value: '[[ .last_response.body.metadata.links.next ]]' + fail_on_template_error: true + +cursor: + timestamp: + value: '[[ .first_event.data.date ]]' + +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..cd0dca31fb --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,634 @@ +--- +description: Pipeline for parsing Cisco Secure Endpoint logs +processors: +- remove: + field: host + ignore_missing: true +- rename: + field: message + target_field: event.original + ignore_missing: true +- json: + field: event.original + target_field: json + if: ctx?.json == null +######################### +## ECS General Mapping ## +######################### +- fingerprint: + fields: + - "json.data.timestamp" + - "json.data.timestamp_nanoseconds" + - "json.data.event_type_id" + - "json.data.connector_guid" + - "json.data.id" + - "json.data.detection_id" + target_field: "_id" + ignore_missing: true +- rename: + field: json.data + target_field: cisco.secure_endpoint + ignore_missing: true +- date: + field: cisco.secure_endpoint.timestamp + formats: + - UNIX + ignore_failure: true + +####################### +## ECS Event Mapping ## +####################### +- set: + field: ecs.version + value: '8.4.0' +- set: + field: event.kind + value: alert +- convert: + field: cisco.secure_endpoint.id + target_field: event.id + type: string + ignore_missing: true +- append: + field: event.category + value: file + if: ctx?.cisco?.secure_endpoint?.file?.file_name != null +- append: + field: event.category + value: malware + if: 'ctx?.cisco?.secure_endpoint?.file?.disposition == "Malicious"' +- rename: + field: cisco.secure_endpoint.event_type + target_field: event.action + ignore_missing: true +- convert: + field: cisco.secure_endpoint.event_type_id + target_field: event.code + type: string + ignore_missing: true +- set: + field: event.severity + value: 1 + if: ctx?.cisco?.secure_endpoint?.severity == 'Low' +- set: + field: event.severity + value: 2 + if: ctx?.cisco?.secure_endpoint?.severity == 'Medium' +- set: + field: event.severity + value: 3 + if: ctx?.cisco?.secure_endpoint?.severity == 'High' +- set: + field: event.severity + value: 4 + if: ctx?.cisco?.secure_endpoint?.severity == 'Critical' +- set: + field: event.severity + value: 0 + if: ctx?.cisco?.secure_endpoint?.severity == null +- date: + field: cisco.secure_endpoint.start_timestamp + target_field: event.start + formats: + - UNIX + ignore_failure: true + if: ctx?.cisco?.secure_endpoint?.start_timestamp != null +- rename: + field: cisco.secure_endpoint.techniques + target_field: threat.technique.id + if: "ctx?.cisco?.secure_endpoint?.techniques != null && ctx?.cisco?.secure_endpoint?.techniques.length > 0 && ctx?.cisco?.secure_endpoint?.techniques[0] instanceof String" +- rename: + field: cisco.secure_endpoint.tactics + target_field: threat.tactic.id + if: "ctx?.cisco?.secure_endpoint?.tactics != null && ctx?.cisco?.secure_endpoint?.tactics.length > 0 && ctx?.cisco?.secure_endpoint?.tactics[0] instanceof String" +- script: + lang: painless + source: | + if (ctx?.threat == null) { + ctx.threat = new HashMap(); + } + if (ctx?.threat.technique == null) { + ctx.threat.technique = new HashMap(); + } + if (ctx?.threat.technique.id == null) { + ctx.threat.technique.id = new ArrayList(); + } + if (ctx?.threat.technique.name == null) { + ctx.threat.technique.name = new ArrayList(); + } + if (ctx?.threat.technique.reference == null) { + ctx.threat.technique.reference = new ArrayList(); + } + for (technique in ctx?.cisco?.secure_endpoint?.techniques) { + if (technique.name != null) { + if (!ctx?.threat.technique.name.contains(technique.name)) { + ctx?.threat.technique.name.add(technique.name); + } + } + if (technique.external_id != null) { + if (!ctx?.threat.technique.id.contains(technique.external_id)) { + ctx?.threat.technique.id.add(technique.external_id); + } + } + if (technique.mitre_url != null) { + if (!ctx?.threat.technique.reference.contains(technique.mitre_url)) { + ctx?.threat.technique.reference.add(technique.mitre_url); + } + } + } + if: ctx?.cisco?.secure_endpoint?.tactics != null +- script: + lang: painless + source: | + if (ctx?.threat == null) { + ctx.threat = new HashMap(); + } + if (ctx?.threat.tactic == null) { + ctx.threat.tactic = new HashMap(); + } + if (ctx?.threat.tactic.id == null) { + ctx.threat.tactic.id = new ArrayList(); + } + if (ctx?.threat.tactic.name == null) { + ctx.threat.tactic.name = new ArrayList(); + } + if (ctx?.threat.tactic.reference == null) { + ctx.threat.tactic.reference = new ArrayList(); + } + for (tactic in ctx?.cisco?.secure_endpoint?.tactics) { + if (tactic.name != null) { + if (!ctx?.threat.tactic.name.contains(tactic.name)) { + ctx?.threat.tactic.name.add(tactic.name); + } + } + if (tactic.external_id != null) { + if (!ctx?.threat.tactic.id.contains(tactic.external_id)) { + ctx?.threat.tactic.id.add(tactic.external_id); + } + } + if (tactic.mitre_url != null) { + if (!ctx?.threat.tactic.reference.contains(tactic.mitre_url)) { + ctx?.threat.tactic.reference.add(tactic.mitre_url); + } + } + } + if: ctx?.cisco?.secure_endpoint?.tactics != null + +###################### +## ECS Host Mapping ## +###################### +- rename: + field: cisco.secure_endpoint.computer.hostname + target_field: host.name + ignore_missing: true +- rename: + field: cisco.secure_endpoint.hostname + target_field: host.name + ignore_missing: true + if: ctx?.host?.name == null +- script: + lang: painless + if: 'ctx.host?.name != null && ctx.host?.name.contains(".")' + source: | + def domain = ""; + def nameArray = ctx.host.name.toString().splitOnToken("."); + if (ctx.host == null) { + ctx.host = new HashMap(); + } + if (nameArray?.length > 0) { + for (int i = 1; i < nameArray.length; i++) { + domain += nameArray[i] + (i < nameArray.length - 1 ? "." : ""); + } + ctx.host.hostname = nameArray[0]; + ctx.host.domain = domain; + } +- set: + field: host.hostname + copy_from: host.name + ignore_empty_value: true + if: ctx?.host?.hostname == null +- script: + lang: painless + if: 'ctx.cisco?.secure_endpoint?.computer?.user != null && ctx.cisco?.secure_endpoint?.computer?.user.contains("@")' + source: > + String[] splitmail = ctx.cisco.secure_endpoint.computer.user.splitOnToken("@"); + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (splitmail.length != 2) { + return; + } + ctx.user.email = ctx.user.id; + ctx.user.domain = splitmail[1]; + ctx.user.name = splitmail[0]; +- rename: + field: cisco.secure_endpoint.computer.user + target_field: user.name + ignore_missing: true + if: ctx?.user?.name == null && ctx?.cisco?.secure_endpoint?.computer?.user != null + +######################### +## ECS Network Mapping ## +######################### +- rename: + field: cisco.secure_endpoint.network_info.nfm.protocol + target_field: network.transport + ignore_missing: true +- set: + field: network.direction + value: egress + if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction == 'Outgoing connection from'" +- set: + field: network.direction + value: ingress + if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != null && ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != 'Outgoing connection from'" + +##################### +## ECS URL Mapping ## +##################### +- uri_parts: + field: cisco.secure_endpoint.network_info.dirty_url + target_field: url + keep_original: true + remove_if_successful: true + if: ctx?.cisco?.secure_endpoint?.network_info?.dirty_url != null +- rename: + field: cisco.secure_endpoint.network_info.dirty_url + target_field: url.original + ignore_missing: true + +######################## +## ECS Source Mapping ## +######################## +- rename: + field: cisco.secure_endpoint.network_info.local_ip + target_field: source.ip + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.local_port + target_field: source.port + ignore_missing: true + +############################# +## ECS Destination Mapping ## +############################# +- rename: + field: cisco.secure_endpoint.network_info.remote_ip + target_field: destination.ip + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.remote_port + target_field: destination.port + ignore_missing: true + +###################### +## ECS File Mapping ## +###################### +- rename: + field: cisco.secure_endpoint.file.file_name + target_field: file.name + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.file_path + target_field: file.path + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.identity.sha256 + target_field: file.hash.sha256 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.identity.sha1 + target_field: file.hash.sha1 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.identity.md5 + target_field: file.hash.md5 + ignore_missing: true + +##################### +## ECS OS Mapping ## +##################### +- set: + field: host.os.family + value: windows + if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")' +- set: + field: host.os.platform + value: windows + if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")' + +######################### +## ECS Process Mapping ## +######################### +- rename: + field: cisco.secure_endpoint.file.parent.process_id + target_field: process.pid + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.parent.process_id + target_field: process.pid + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.parent.file_name + target_field: process.name + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.parent.identity.sha256 + target_field: process.hash.sha256 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.parent.identity.sha1 + target_field: process.hash.sha1 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.parent.identity.md5 + target_field: process.hash.md5 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.file.parent.identity.md5 + target_field: process.hash.md5 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.parent.file_name + target_field: process.name + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.parent.identity.sha256 + target_field: process.hash.sha256 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.parent.identity.sha1 + target_field: process.hash.sha1 + ignore_missing: true +- rename: + field: cisco.secure_endpoint.network_info.parent.identity.md5 + target_field: process.hash.md5 + ignore_missing: true +- script: + description: Set process.command_line and process.args. + tag: set-process-command_line + lang: painless + source: | + def commandLine = ctx?.cisco?.secure_endpoint?.command_line?.arguments; + if (commandLine != null) { + commandLine = commandLine.trim(); + if (commandLine != "") { + ctx.process.command_line = commandLine; + + def args = []; + for (def v : / /.split(commandLine)) { + if (v != "") { + args.add(v); + } + } + if (args.size() > 0) { + ctx.process.args = args; + } + } + } +- script: + description: Set process.args_count and process.executable based on process.args. + tag: set-process-args_count + lang: painless + if: ctx?.process?.args != null + source: | + ctx.process.args_count = ctx.process.args.length; + if (ctx.process.args.length > 0) { + ctx.process.executable = ctx.process.args[0]; + } + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.user + value: "{{ user.name }}" + if: ctx?.user?.name != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ process.hash.sha256 }}" + if: ctx?.process?.parent?.hash?.sha256 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ process.hash.md5 }}" + if: ctx?.process?.parent?.hash?.md5 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ process.hash.sha1 }}" + if: ctx?.process?.parent?.hash?.sha1 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ file.hash.sha256 }}" + if: ctx?.file?.hash?.sha256 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ file.hash.md5 }}" + if: ctx?.file?.hash?.md5 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ file.hash.sha1 }}" + if: ctx?.file?.hash?.sha1 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha256 }}" + if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha256 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ cisco.secure_endpoint.network_info.parent.identity.md5 }}" + if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.md5 != null + allow_duplicates: false +- append: + field: related.hash + value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha1 }}" + if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha1 != null + allow_duplicates: false +- append: + field: related.hosts + value: "{{ host.name }}" + if: ctx?.host?.name != null + allow_duplicates: false +- append: + field: related.ip + value: "{{ source.ip }}" + if: ctx?.source?.ip != null + allow_duplicates: false +- append: + field: related.ip + value: "{{ destination.ip }}" + if: ctx?.destination?.ip != null + allow_duplicates: false +- append: + field: related.ip + value: "{{ cisco.secure_endpoint.computer.external_ip }}" + if: ctx?.cisco?.secure_endpoint?.computer?.external_ip != null + allow_duplicates: false +- script: + lang: painless + source: | + if (ctx?.related == null) { + ctx.related = new HashMap(); + } + if (ctx?.related?.ip == null) { + ctx.related.ip = new ArrayList(); + } + for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) { + if (addr.ip != null && !addr.ip.isEmpty()) { + if (!ctx?.related?.ip.contains(addr.ip)) { + ctx?.related?.ip.add(addr.ip); + } + } + } + if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null +- script: + lang: painless + source: | + if (ctx?.cisco?.secure_endpoint?.related == null) { + ctx.cisco.secure_endpoint.related = new HashMap(); + } + if (ctx?.cisco?.secure_endpoint?.related?.mac == null) { + ctx.cisco.secure_endpoint.related.mac = new ArrayList(); + } + for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) { + if (addr.mac != null && !addr.mac.isEmpty()) { + if (!ctx?.cisco?.secure_endpoint?.related?.mac.contains(addr.mac)) { + def mac_addr = addr.mac.replace(":","-").toUpperCase(); + ctx?.cisco?.secure_endpoint?.related?.mac.add(mac_addr); + } + } + } + if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null +- foreach: + field: cisco.secure_endpoint.vulnerabilities + processor: + append: + field: cisco.secure_endpoint.related.cve + value: "{{ _ingest._value.cve }}" + allow_duplicates: false + if: ctx?.cisco?.secure_endpoint?.vulnerabilities != null + +############# +## GeoIP ## +############# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- date: + field: cisco.secure_endpoint.threat_hunting.incident_start_time + target_field: cisco.secure_endpoint.threat_hunting.incident_start_time + formats: + - UNIX + ignore_failure: true + if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_start_time != null +- date: + field: cisco.secure_endpoint.threat_hunting.incident_end_time + target_field: cisco.secure_endpoint.threat_hunting.incident_end_time + formats: + - UNIX + ignore_failure: true + if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_end_time != null +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + if: ctx?.json != null + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + } + handleMap(ctx); +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- remove: + field: + - cisco.secure_endpoint.computer.hostname + - cisco.secure_endpoint.computer.links + - cisco.secure_endpoint.computer.user + - cisco.secure_endpoint.date + - cisco.secure_endpoint.id + - cisco.secure_endpoint.severity + - cisco.secure_endpoint.start_date + - cisco.secure_endpoint.start_timestamp + - cisco.secure_endpoint.threat_hunting.tactics + - cisco.secure_endpoint.threat_hunting.techniques + - cisco.secure_endpoint.timestamp + - cisco.secure_endpoint.timestamp_nanoseconds + - json + ignore_missing: true +on_failure: +- remove: + field: + - json + ignore_missing: true +- set: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" failed with message "{{{ _ingest.on_failure_message }}}" diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/agent.yml b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/agent.yml new file mode 100755 index 0000000000..9dfc8d1aeb --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/agent.yml @@ -0,0 +1,193 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/base-fields.yml b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/base-fields.yml new file mode 100755 index 0000000000..351ac77130 --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/base-fields.yml @@ -0,0 +1,27 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_secure_endpoint +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_secure_endpoint.event +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/ecs.yml b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/ecs.yml new file mode 100755 index 0000000000..e8e00f84e9 --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/ecs.yml @@ -0,0 +1,271 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + normalize: + - array + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: |- + Full command line that started the process, including the absolute path to the executable, and all arguments. + Some arguments may be filtered to protect sensitive information. + multi_fields: + - name: text + type: match_only_text + name: process.command_line + type: wildcard +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.id + normalize: + - array + type: keyword +- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.reference + normalize: + - array + type: keyword +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + normalize: + - array + type: keyword +- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.id + normalize: + - array + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + normalize: + - array + type: keyword +- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.reference + normalize: + - array + type: keyword diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/fields.yml b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/fields.yml new file mode 100755 index 0000000000..68cdf7aad9 --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/fields/fields.yml @@ -0,0 +1,282 @@ +- name: cisco.secure_endpoint + type: group + release: beta + default_field: false + description: > + Module for parsing Cisco Secure Endpoint logs. + + fields: + - name: timestamp_nanoseconds + type: date + description: > + The timestamp in Epoch nanoseconds. + + - name: event_type_id + type: long + description: > + A sub ID of the event, depending on event type. + + - name: detection + type: keyword + description: > + The name of the malware detected. + + - name: detection_id + type: keyword + description: > + The ID of the detection. + + - name: connector_guid + type: keyword + description: > + The GUID of the connector sending information to AMP. + + - name: group_guids + type: keyword + description: > + An array of group GUIDS related to the connector sending information to AMP. + + - name: vulnerabilities + type: flattened + description: > + An array of related vulnerabilities to the malicious event. + + - name: scan.description + type: keyword + description: > + Description of an event related to a scan being initiated, for example the specific directory name. + + - name: scan.clean + type: boolean + description: > + Boolean value if a scanned file was clean or not. + + - name: scan.scanned_files + type: long + description: > + Count of files scanned in a directory. + + - name: scan.scanned_processes + type: long + description: > + Count of processes scanned related to a single scan event. + + - name: scan.scanned_paths + type: long + description: > + Count of different directories scanned related to a single scan event. + + - name: scan.malicious_detections + type: long + description: > + Count of malicious files or documents detected related to a single scan event. + + - name: computer.connector_guid + type: keyword + description: > + The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. + + - name: computer.external_ip + type: ip + description: > + The external IP of the related host. + + - name: computer.active + type: boolean + description: > + If the current endpoint is active or not. + + - name: computer.network_addresses + type: flattened + description: > + All network interface information on the related host. + + - name: file.disposition + type: keyword + description: > + Categorization of file, for example "Malicious" or "Clean". + + - name: network_info.disposition + type: keyword + description: > + Categorization of a network event related to a file, for example "Malicious" or "Clean". + + - name: network_info.nfm.direction + type: keyword + description: > + The current direction based on source and destination IP. + + - name: related.mac + type: keyword + description: > + An array of all related MAC addresses. + + - name: related.cve + type: keyword + description: > + An array of all related CVEs + + - name: cloud_ioc.description + type: keyword + description: > + Description of the related IOC for specific IOC events from AMP. + + - name: cloud_ioc.short_description + type: keyword + description: > + Short description of the related IOC for specific IOC events from AMP. + + - name: network_info.parent.disposition + type: keyword + description: > + Categorization of a IOC for example "Malicious" or "Clean". + + - name: network_info.parent.identity.md5 + type: keyword + description: > + MD5 hash of the related IOC. + + - name: network_info.parent.identity.sha1 + type: keyword + description: > + SHA1 hash of the related IOC. + + - name: network_info.parent.identify.sha256 + type: keyword + description: > + SHA256 hash of the related IOC. + + - name: file.archived_file.disposition + type: keyword + description: > + Categorization of a file archive related to a file, for example "Malicious" or "Clean". + + - name: file.archived_file.identity.md5 + type: keyword + description: > + MD5 hash of the archived file related to the malicious event. + + - name: file.archived_file.identity.sha1 + type: keyword + description: > + SHA1 hash of the archived file related to the malicious event. + + - name: file.archived_file.identity.sha256 + type: keyword + description: > + SHA256 hash of the archived file related to the malicious event. + + - name: file.attack_details.application + type: keyword + description: > + The application name related to Exploit Prevention events. + + - name: file.attack_details.attacked_module + type: keyword + description: > + Path to the executable or dll that was attacked and detected by Exploit Prevention. + + - name: file.attack_details.base_address + type: keyword + description: > + The base memory address related to the exploit detected. + + - name: file.attack_details.suspicious_files + type: keyword + description: > + An array of related files when an attack is detected by Exploit Prevention. + + - name: file.parent.disposition + type: keyword + description: > + Categorization of parrent, for example "Malicious" or "Clean". + + - name: error.description + type: keyword + description: > + Description of an endpoint error event. + + - name: error.error_code + type: long + description: > + The error code describing the related error event. + + - name: threat_hunting.severity + type: keyword + description: > + Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. + + - name: threat_hunting.incident_report_guid + type: keyword + description: > + The GUID of the related threat hunting report. + + - name: threat_hunting.incident_hunt_guid + type: keyword + description: > + The GUID of the related investigation tracking issue. + + - name: threat_hunting.incident_title + type: keyword + description: > + Title of the incident related to the threat hunting activity. + + - name: threat_hunting.incident_summary + type: keyword + description: > + Summary of the outcome on the threat hunting activity. + + - name: threat_hunting.incident_remediation + type: keyword + description: > + Recommendations to resolve the vulnerability or exploited host. + + - name: threat_hunting.incident_id + type: long + description: > + The id of the related incident for the threat hunting activity. + + - name: threat_hunting.incident_end_time + type: date + description: > + When the threat hunt finalized or closed. + + - name: threat_hunting.incident_start_time + type: date + description: > + When the threat hunt was initiated. + + - name: file.attack_details.indicators + type: flattened + description: > + Different indicator types that matches the exploit detected, for example different MITRE tactics. + + - name: threat_hunting.tactics + type: flattened + description: > + List of all MITRE tactics related to the incident found. + + - name: threat_hunting.techniques + type: flattened + description: > + List of all MITRE techniques related to the incident found. + + - name: tactics + type: flattened + description: > + List of all MITRE tactics related to the incident found. + + - name: techniques + type: flattened + description: > + List of all MITRE techniques related to the incident found. + + - name: command_line.arguments + type: keyword + description: > + The CLI arguments related to the Cloud Threat IOC reported by Cisco. + + - name: bp_data + type: flattened + description: >- + Endpoint isolation information diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/manifest.yml b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/manifest.yml new file mode 100755 index 0000000000..4cd9a9565f --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/manifest.yml @@ -0,0 +1,91 @@ +title: Cisco Secure Endpoint logs +type: logs +streams: + - input: httpjson + vars: + - name: client_id + type: text + title: Client ID + description: Cisco Secure Endpoint Client ID + multi: false + required: true + show_user: true + - name: api_key + type: password + title: API Key + description: Cisco Secure Endpoint API Key + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: true + default: 60s + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + description: Interval at which the logs will be pulled. The value must be between 2m and 1h. + default: 1h + - name: url + type: text + title: API URL. + description: The API URL + multi: false + required: true + show_user: false + default: https://api.amp.cisco.com/v1/events?offset=0&limit=300 + - name: limit + type: text + title: Initial Interval + multi: false + required: true + show_user: false + description: Max number of logs pulled on each request + default: 100 + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + description: Initial Interval for first log pull + default: 24h + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - cisco-secure_endpoint + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" + template_path: httpjson.yml.hbs + title: Cisco Secure Endpoint logs + description: Collect Cisco Secure Endpoint logs via the API diff --git a/packages/cisco_secure_endpoint/2.6.2/data_stream/event/sample_event.json b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/sample_event.json new file mode 100755 index 0000000000..728815234b --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/data_stream/event/sample_event.json @@ -0,0 +1,112 @@ +{ + "@timestamp": "2021-01-13T10:13:08.000Z", + "agent": { + "ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", + "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "cisco": { + "secure_endpoint": { + "cloud_ioc": { + "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "short_description": "W32.WinWord.Powershell" + }, + "computer": { + "active": true, + "connector_guid": "test_connector_guid", + "external_ip": "8.8.8.8", + "network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ] + }, + "connector_guid": "test_connector_guid", + "event_type_id": 1107296274, + "file": { + "disposition": "Clean", + "identity": {}, + "parent": { + "disposition": "Clean", + "identity": {} + } + }, + "group_guids": [ + "test_group_guid" + ], + "related": { + "mac": [ + "38-1E-EB-BA-2C-15" + ] + } + } + }, + "data_stream": { + "dataset": "cisco_secure_endpoint.event", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "Cloud IOC", + "agent_id_status": "verified", + "category": [ + "file" + ], + "code": "1107296274", + "created": "2022-04-13T11:54:03.909Z", + "dataset": "cisco_secure_endpoint.event", + "id": "1515298355162029000", + "ingested": "2022-04-13T11:54:04Z", + "kind": "alert", + "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", + "severity": 2, + "start": "2021-01-13T10:13:08.000Z" + }, + "file": { + "hash": { + "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + }, + "name": "PowerShell.exe", + "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" + }, + "host": { + "hostname": "Demo_AMP", + "name": "Demo_AMP" + }, + "input": { + "type": "httpjson" + }, + "process": { + "hash": { + "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" + } + }, + "related": { + "hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "hosts": [ + "Demo_AMP" + ], + "ip": [ + "8.8.8.8", + "10.10.10.10" + ] + }, + "tags": [ + "cisco-secure_endpoint", + "forwarded", + "preserve_original_event" + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/2.6.2/docs/README.md b/packages/cisco_secure_endpoint/2.6.2/docs/README.md new file mode 100755 index 0000000000..c637510047 --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/docs/README.md @@ -0,0 +1,290 @@ +# Cisco Secure Endpoint Integration + +This integration is for [Cisco Secure Endpoint](https://developer.cisco.com/amp-for-endpoints/) logs. It includes the following datasets for receiving logs over syslog or read from a file: + +- `event` dataset: supports Cisco Secure Endpoint Event logs. + +## Logs + +### Secure Endpoint + +The `event` dataset collects Cisco Secure Endpoint logs. + +An example event for `event` looks as following: + +```json +{ + "@timestamp": "2021-01-13T10:13:08.000Z", + "agent": { + "ephemeral_id": "1bee52ec-b713-415e-9d9b-32c5217f9796", + "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "cisco": { + "secure_endpoint": { + "cloud_ioc": { + "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.", + "short_description": "W32.WinWord.Powershell" + }, + "computer": { + "active": true, + "connector_guid": "test_connector_guid", + "external_ip": "8.8.8.8", + "network_addresses": [ + { + "ip": "10.10.10.10", + "mac": "38:1e:eb:ba:2c:15" + } + ] + }, + "connector_guid": "test_connector_guid", + "event_type_id": 1107296274, + "file": { + "disposition": "Clean", + "identity": {}, + "parent": { + "disposition": "Clean", + "identity": {} + } + }, + "group_guids": [ + "test_group_guid" + ], + "related": { + "mac": [ + "38-1E-EB-BA-2C-15" + ] + } + } + }, + "data_stream": { + "dataset": "cisco_secure_endpoint.event", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "83d8d392-d20c-40ef-a257-bf9cf314d1db", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "action": "Cloud IOC", + "agent_id_status": "verified", + "category": [ + "file" + ], + "code": "1107296274", + "created": "2022-04-13T11:54:03.909Z", + "dataset": "cisco_secure_endpoint.event", + "id": "1515298355162029000", + "ingested": "2022-04-13T11:54:04Z", + "kind": "alert", + "original": "{\"data\":{\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"computer\":{\"active\":true,\"connector_guid\":\"test_connector_guid\",\"external_ip\":\"8.8.8.8\",\"hostname\":\"Demo_AMP\",\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\"},\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}]},\"connector_guid\":\"test_connector_guid\",\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}},\"group_guids\":[\"test_group_guid\"],\"id\":1515298355162029000,\"severity\":\"Medium\",\"start_date\":\"2021-01-13T10:13:08+00:00\",\"start_timestamp\":1610532788,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000},\"metadata\":{\"links\":{\"next\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\\u0026offset=1\",\"self\":\"http://7d3a7ffa9a19:8080/v1/events?start_date=2022-04-12T11:54:03+00:00\\u0026limit=1\"},\"results\":{\"current_item_count\":1,\"index\":0,\"items_per_page\":1,\"total\":2}},\"version\":\"v1.2.0\"}", + "severity": 2, + "start": "2021-01-13T10:13:08.000Z" + }, + "file": { + "hash": { + "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + }, + "name": "PowerShell.exe", + "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe" + }, + "host": { + "hostname": "Demo_AMP", + "name": "Demo_AMP" + }, + "input": { + "type": "httpjson" + }, + "process": { + "hash": { + "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2" + } + }, + "related": { + "hash": [ + "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7" + ], + "hosts": [ + "Demo_AMP" + ], + "ip": [ + "8.8.8.8", + "10.10.10.10" + ] + }, + "tags": [ + "cisco-secure_endpoint", + "forwarded", + "preserve_original_event" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco.secure_endpoint.bp_data | Endpoint isolation information | flattened | +| cisco.secure_endpoint.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword | +| cisco.secure_endpoint.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword | +| cisco.secure_endpoint.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword | +| cisco.secure_endpoint.computer.active | If the current endpoint is active or not. | boolean | +| cisco.secure_endpoint.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword | +| cisco.secure_endpoint.computer.external_ip | The external IP of the related host. | ip | +| cisco.secure_endpoint.computer.network_addresses | All network interface information on the related host. | flattened | +| cisco.secure_endpoint.connector_guid | The GUID of the connector sending information to AMP. | keyword | +| cisco.secure_endpoint.detection | The name of the malware detected. | keyword | +| cisco.secure_endpoint.detection_id | The ID of the detection. | keyword | +| cisco.secure_endpoint.error.description | Description of an endpoint error event. | keyword | +| cisco.secure_endpoint.error.error_code | The error code describing the related error event. | long | +| cisco.secure_endpoint.event_type_id | A sub ID of the event, depending on event type. | long | +| cisco.secure_endpoint.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword | +| cisco.secure_endpoint.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword | +| cisco.secure_endpoint.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword | +| cisco.secure_endpoint.file.attack_details.application | The application name related to Exploit Prevention events. | keyword | +| cisco.secure_endpoint.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword | +| cisco.secure_endpoint.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword | +| cisco.secure_endpoint.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened | +| cisco.secure_endpoint.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword | +| cisco.secure_endpoint.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword | +| cisco.secure_endpoint.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.network_info.nfm.direction | The current direction based on source and destination IP. | keyword | +| cisco.secure_endpoint.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword | +| cisco.secure_endpoint.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword | +| cisco.secure_endpoint.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword | +| cisco.secure_endpoint.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword | +| cisco.secure_endpoint.related.cve | An array of all related CVEs | keyword | +| cisco.secure_endpoint.related.mac | An array of all related MAC addresses. | keyword | +| cisco.secure_endpoint.scan.clean | Boolean value if a scanned file was clean or not. | boolean | +| cisco.secure_endpoint.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword | +| cisco.secure_endpoint.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long | +| cisco.secure_endpoint.scan.scanned_files | Count of files scanned in a directory. | long | +| cisco.secure_endpoint.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long | +| cisco.secure_endpoint.scan.scanned_processes | Count of processes scanned related to a single scan event. | long | +| cisco.secure_endpoint.tactics | List of all MITRE tactics related to the incident found. | flattened | +| cisco.secure_endpoint.techniques | List of all MITRE techniques related to the incident found. | flattened | +| cisco.secure_endpoint.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date | +| cisco.secure_endpoint.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long | +| cisco.secure_endpoint.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_start_time | When the threat hunt was initiated. | date | +| cisco.secure_endpoint.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword | +| cisco.secure_endpoint.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword | +| cisco.secure_endpoint.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword | +| cisco.secure_endpoint.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened | +| cisco.secure_endpoint.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened | +| cisco.secure_endpoint.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | +| cisco.secure_endpoint.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/cisco_secure_endpoint/2.6.2/img/cisco.svg b/packages/cisco_secure_endpoint/2.6.2/img/cisco.svg new file mode 100755 index 0000000000..20ebebf197 --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/img/cisco.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/cisco_secure_endpoint/2.6.2/manifest.yml b/packages/cisco_secure_endpoint/2.6.2/manifest.yml new file mode 100755 index 0000000000..566dc9ad8e --- /dev/null +++ b/packages/cisco_secure_endpoint/2.6.2/manifest.yml @@ -0,0 +1,28 @@ +format_version: 1.0.0 +name: cisco_secure_endpoint +title: Cisco Secure Endpoint +version: 2.6.2 +license: basic +description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: "^7.17.0 || ^8.0.0" +icons: + - src: /img/cisco.svg + title: cisco + size: 216x216 + type: image/svg+xml +policy_templates: + - name: cisco_secure_endpoint + title: Cisco Secure Endpoint logs + description: Collect logs from Cisco Secure Endpoint + inputs: + - type: httpjson + title: Collect logs from the Cisco Secure Endpoint API + description: Collecting logs from the Cisco Secure Endpoint API +owner: + github: elastic/security-external-integrations diff --git a/packages/citrix_waf/1.1.2/LICENSE.txt b/packages/citrix_waf/1.1.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/citrix_waf/1.1.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/citrix_waf/1.1.2/changelog.yml b/packages/citrix_waf/1.1.2/changelog.yml new file mode 100755 index 0000000000..b2476cc313 --- /dev/null +++ b/packages/citrix_waf/1.1.2/changelog.yml @@ -0,0 +1,37 @@ +# newer versions go on top +- version: "1.1.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4401 +- version: "1.1.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.1.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3843 +- version: "1.0.0" + changes: + - description: Add dashboard. + type: enhancement + link: https://github.com/elastic/integrations/pull/3779 + - description: Add missing client.as field mappings. + type: bugfix + link: https://github.com/elastic/integrations/pull/3779 + - description: Remove unused destination field mappings. + type: bugfix + link: https://github.com/elastic/integrations/pull/3779 +- version: "0.1.1" + changes: + - description: Fix UDP parameter name and remove setting from default. + type: bugfix + link: https://github.com/elastic/integrations/pull/3778 +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/3425 diff --git a/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..2a3cd639fe --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,24 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' diff --git a/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..98dc71bbaa --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' diff --git a/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..cbe0dfb57d --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if udp_options}} +{{udp_options}} +{{/if}} +fields_under_root: true +fields: + _conf: + tz_offset: '{{tz_offset}}' diff --git a/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/cef.yml b/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/cef.yml new file mode 100755 index 0000000000..b1d3109e11 --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/cef.yml @@ -0,0 +1,104 @@ +--- +description: Pipeline for Citrix CEF messages +processors: + - set: + field: citrix.cef_format + value: true + # https://docs.citrix.com/en-us/citrix-adc/downloads/cef-log-components.pdf + - dissect: + field: citrix.detail + pattern: "CEF:%{citrix.cef_version}|%{citrix.device_vendor}|%{citrix.device_product}|%{citrix.device_version}|%{citrix.device_event_class_id}|%{citrix.name}|%{event.severity}|%{citrix.extended.message}" + - kv: + field: citrix.extended.message + target_field: citrix.extended_kv + field_split: ' (?=[a-zA-Z][a-zA-Z0-9]*=)' + value_split: '=' + ignore_missing: true + - remove: + field: citrix.extended + if: ctx.citrix?.extended_kv != null + + # https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/logs.html#common-event-format-cef-logs + - convert: + # src – source IP address + field: citrix.extended_kv.src + target_field: source.ip + type: ip + ignore_missing: true + - remove: + field: citrix.extended_kv.src + ignore_missing: true + - convert: + # spt – source port number + field: citrix.extended_kv.spt + target_field: source.port + type: long + ignore_missing: true + - remove: + field: citrix.extended_kv.spt + ignore_missing: true + - rename: + # method – Method (for example GET/POST) + field: citrix.extended_kv.method + target_field: http.request.method + ignore_missing: true + - rename: + # request – request URL + field: citrix.extended_kv.request + target_field: url.original + ignore_missing: true + - rename: + # action (for example blocked, transformed) + field: citrix.extended_kv.act + target_field: event.action + ignore_missing: true + - rename: + # message (Message regarding the observed security check violation) + field: citrix.extended_kv.msg + target_field: message + ignore_missing: true + - rename: + # event ID + field: citrix.extended_kv.cn1 + target_field: event.id + ignore_missing: true + - rename: + # HTTP Transaction ID + field: citrix.extended_kv.cn2 + target_field: http.request.id + ignore_missing: true + - rename: + # profile name + field: citrix.extended_kv.cs1 + target_field: citrix.profile_name + ignore_missing: true + - rename: + # PPE ID (for example PPE1) + field: citrix.extended_kv.cs2 + target_field: citrix.ppe_id + ignore_missing: true + - rename: + # Session ID + field: citrix.extended_kv.cs3 + target_field: citrix.session_id + ignore_missing: true + - rename: + # Severity (for example INFO, ALERT) + field: citrix.extended_kv.cs4 + target_field: citrix.severity + ignore_missing: true + - rename: + # event year + field: citrix.extended_kv.cs5 + target_field: citrix.event_year + ignore_missing: true + - rename: + # Signature Violation Category + field: citrix.extended_kv.cs6 + target_field: citrix.signature_violation_category + ignore_missing: true + + - rename: + field: citrix.extended_kv + target_field: citrix.extended + ignore_missing: true diff --git a/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..9f40c2447e --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,161 @@ +--- +description: Pipeline for Citrix Web App Firewall logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + - grok: + description: Extract header details and message from log line. + field: event.original + patterns: + - '^%{SYSLOG_TIMESTAMP} %{LEVEL} %{IP:client.ip:ip} %{GREEDYDATA:citrix.detail}' + pattern_definitions: + LEVEL: '?' + IDENT: '[a-zA-Z][a-zA-Z0-9]*' + SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' + TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' + + - pipeline: + name: '{{ IngestPipeline "cef" }}' + if: ctx.citrix?.detail != null && ctx.citrix?.detail.startsWith("CEF:") + - pipeline: + name: '{{ IngestPipeline "native" }}' + if: ctx.citrix?.detail != null && !ctx.citrix?.detail.startsWith("CEF:") + + - convert: + field: event.severity + type: long + ignore_missing: true + + - set: + field: _conf.tz_offset + value: UTC + override: false + - set: + field: event.timezone + copy_from: _conf.tz_offset + if: ctx.event?.timezone == null || ctx.event?.timezone == "" + - date: + if: ctx?._tmp?.timestamp8601 != null + field: _tmp.timestamp8601 + timezone: '{{{event.timezone}}}' + formats: + - ISO8601 + - set: + field: _tmp.timestamp + if: ctx._tmp?.timestamp != null && ctx.citrix?.event_year != null + value: "{{{citrix.event_year}}} {{{_tmp.timestamp}}}" + - date: + if: ctx?._tmp?.timestamp != null + field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMMM d HH:mm:ss + - MMMM d HH:mm:ss + - MMMM dd HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM dd HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM dd HH:mm:ss + - date: + if: ctx?._tmp?.timestamp_native != null + field: _tmp.timestamp_native + formats: + - MM/dd/yyyy:HH:mm:ss + timezone: '{{{event.timezone}}}' + - remove: + field: citrix.event_year + ignore_failure: true + + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: client.as.asn + target_field: client.as.number + ignore_missing: true + - rename: + field: client.as.organization_name + target_field: client.as.organization.name + ignore_missing: true + + - uri_parts: + field: url.original + target_field: url + if: ctx.url?.original != null && ctx.url?.original != "" + + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: event.original + if: ctx?.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_missing: true + - remove: + field: + - _tmp + - _conf + ignore_missing: true + +on_failure: + - remove: + field: + - _tmp + - _conf + ignore_missing: true + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/native.yml b/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/native.yml new file mode 100755 index 0000000000..587ecdff57 --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/elasticsearch/ingest_pipeline/native.yml @@ -0,0 +1,25 @@ +--- +description: Pipeline for Citrix Native messages +processors: + - set: + field: citrix.cef_format + value: false + - grok: + description: Extract native header and message. + field: citrix.detail + patterns: + - '^%{HEADER} : %{GREEDYDATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}' + pattern_definitions: + HEADER: '%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone} %{SYSLOGHOST:citrix.host} %{INT}-PPE-%{INT}' + NATIVE_TIMESTAMP: '%{MONTHNUM}/%{MONTHDAY}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND}' + - grok: + description: Parse out details. + field: _tmp.details + patterns: + - '^%{DEFAULT:_tmp.default}?%{WORD:citrix.device_event_class_id} %{GREEDYDATA:citrix.name} %{INT:event.id} %{INT:event.severity}$' + pattern_definitions: + DEFAULT: 'default ' + - set: + field: citrix.default_class + value: true + if: ctx._tmp?.default == 'default ' # The trailing space is intended. \ No newline at end of file diff --git a/packages/citrix_waf/1.1.2/data_stream/log/fields/agent.yml b/packages/citrix_waf/1.1.2/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..d38a70bd6b --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/fields/agent.yml @@ -0,0 +1,207 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/citrix_waf/1.1.2/data_stream/log/fields/base-fields.yml b/packages/citrix_waf/1.1.2/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..17e13a8291 --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: citrix_waf +- name: event.dataset + type: constant_keyword + description: Event dataset + value: citrix_waf.log diff --git a/packages/citrix_waf/1.1.2/data_stream/log/fields/ecs.yml b/packages/citrix_waf/1.1.2/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..026c8331d8 --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/fields/ecs.yml @@ -0,0 +1,463 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. + The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. + name: http.request.id + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + name: network.inner + type: object +- description: VLAN ID as reported by the observer. + name: network.inner.vlan.id + type: keyword +- description: Optional VLAN name as reported by the observer. + name: network.inner.vlan.name + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + name: observer.egress.zone + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + name: observer.ingress.zone + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Port of the server. + name: server.port + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Port of the client. + name: client.port + type: long +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip diff --git a/packages/citrix_waf/1.1.2/data_stream/log/fields/fields.yml b/packages/citrix_waf/1.1.2/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..fb9f686dfd --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/fields/fields.yml @@ -0,0 +1,57 @@ +- name: citrix + type: group + fields: + - name: cef_format + description: Whether the logging is in Citrix CEF format. + type: boolean + - name: cef_version + description: The CEF format version used in the logs. + type: keyword + - name: device_event_class_id + description: The ID of the event class. + type: keyword + - name: default_class + description: Whether the event class was the default. + type: boolean + - name: detail + description: The CEF or Citrix Native format details for the event. + type: keyword + - name: device_product + description: The model of the appliance. + type: keyword + - name: device_vendor + description: The name of the vendor for the device. + type: keyword + - name: device_version + description: The version of the device. + type: keyword + - name: facility + description: The logging facility. + type: keyword + - name: host + description: The name of the host receiving the logs. + type: keyword + - name: name + description: The name of the security check. + type: keyword + - name: ppe_id + description: Packet Processing Engine ID. + type: keyword + - name: priority + description: The logging priority. + type: keyword + - name: profile_name + description: The name of the profile that raised the event. + type: keyword + - name: session_id + description: The ID for the session. + type: keyword + - name: severity + description: The severity of the event. + type: keyword + - name: signature_violation_category + description: The category that the violation is grouped into. + type: keyword + - name: extended + description: Additional data associated with the event. + type: flattened diff --git a/packages/citrix_waf/1.1.2/data_stream/log/manifest.yml b/packages/citrix_waf/1.1.2/data_stream/log/manifest.yml new file mode 100755 index 0000000000..05cf763cdd --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/manifest.yml @@ -0,0 +1,210 @@ +title: Cisco ASA logs +type: logs +streams: + - input: udp + title: Citrix WAF logs + description: Collect Citrix WAF logs (via Syslog) + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - citrix_waf + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 10KiB + #read_buffer: 100KiB + description: Specify custom configuration options for the UDP input. + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - input: tcp + title: Citrix WAF logs + description: Collect Citrix WAF logs (via Syslog) + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - citrix_waf + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9001 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 10KiB + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - input: logfile + enabled: false + title: Cisco Citrix WAF logs + description: Cisco Citrix WAF logs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/citrix-waf.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - citrix_waf + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. diff --git a/packages/citrix_waf/1.1.2/data_stream/log/sample_event.json b/packages/citrix_waf/1.1.2/data_stream/log/sample_event.json new file mode 100755 index 0000000000..30aef26d00 --- /dev/null +++ b/packages/citrix_waf/1.1.2/data_stream/log/sample_event.json @@ -0,0 +1,108 @@ +{ + "@timestamp": "2012-12-18T21:46:17.000Z", + "agent": { + "ephemeral_id": "9153862d-f83f-4bd1-bbc9-c3ff3d96e726", + "id": "e30119bc-b47d-4e56-86e3-4a9683305c6e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "profile1", + "session_id": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "citrix_waf.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "e30119bc-b47d-4e56-86e3-4a9683305c6e", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "not blocked", + "agent_id_status": "verified", + "dataset": "citrix_waf.log", + "id": "465", + "ingested": "2022-07-12T00:06:17Z", + "original": "Dec 18 21:46:17 \u003clocal0.info\u003e 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "severity": 6, + "timezone": "+00:00" + }, + "http": { + "request": { + "id": "535", + "method": "GET" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.22.0.4:41588" + } + }, + "message": "Disallow Illegal URL.", + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54711 + }, + "tags": [ + "preserve_original_event", + "citrix_waf", + "forwarded" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/login_post.html?abc\\=def", + "path": "/FFC/login_post.html", + "query": "abc\\=def", + "scheme": "http" + } +} \ No newline at end of file diff --git a/packages/citrix_waf/1.1.2/docs/README.md b/packages/citrix_waf/1.1.2/docs/README.md new file mode 100755 index 0000000000..9fdaff8a29 --- /dev/null +++ b/packages/citrix_waf/1.1.2/docs/README.md @@ -0,0 +1,335 @@ +# Citrix Web App Firewall + +The Citrix Web App Firewall prevents security breaches, data loss, and possible unauthorized modifications to websites that access sensitive business or customer information. It does so by filtering both requests and responses, examining them for evidence of malicious activity, and blocking requests that exhibit such activity. Your site is protected not only from common types of attacks, but also from new, as yet unknown attacks. In addition to protecting web servers and websites from unauthorized access, the Web App Firewall protects against vulnerabilities in legacy CGI code or scripts, web frameworks, web server software, and other underlying operating systems. + +## Compatibility + +This integration has been tested against samples obtained from Citrix ADC 13.1 and NetScaler 10.0 documentation. + +## Configuration + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations**. +2. In "Search for integrations" search bar type **Citrix**. +3. Click on "Citrix Web App Firewall" integration from the search results. +4. Click on **Add Citrix Web App Firewall** button to add the integration. + +### Citrix WAF Dashboard Configuration + +It is recommended to configure the application firewall to enable CEF-formatted logs. + +1. Navigate to Security the NetScaler GUI. +2. Click Application Firewall node. +3. Select Change Engine Settings. +4. Enable CEF Logging. + +#### Syslog + +The Citrix WAF GUI can be used to configure syslog servers and WAF message types to be sent to the syslog servers. Refer to [How to Send Application Firewall Messages to a Separate Syslog Server](https://support.citrix.com/article/CTX138973) and [How to Send NetScaler Application Firewall Logs to Syslog Server and NS.log](https://support.citrix.com/article/CTX211543) for details. + +### Configure the Citrix WAF integration + +#### Syslog + +Depending on the syslog server setup in your environment check one/more of the following options "Collect syslog from Citrix WAF via UDP", "Collect syslog from Citrix WAF via TCP", "Collect syslog from Citrix WAF via file". + +Enter the values for syslog host and port OR file path based on the chosen configuration options. + +### Log Events + +Enable to collect Citrix WAF log events for all the applications configured for the chosen log stream. + +## Logs + +### Syslog + +The `citrix_waf.log` dataset provides events from the configured syslog server. All Citrix WAF syslog specific fields are available in the `citrix` field group. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2012-12-18T21:46:17.000Z", + "agent": { + "ephemeral_id": "9153862d-f83f-4bd1-bbc9-c3ff3d96e726", + "id": "e30119bc-b47d-4e56-86e3-4a9683305c6e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "profile1", + "session_id": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "citrix_waf.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "e30119bc-b47d-4e56-86e3-4a9683305c6e", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "not blocked", + "agent_id_status": "verified", + "dataset": "citrix_waf.log", + "id": "465", + "ingested": "2022-07-12T00:06:17Z", + "original": "Dec 18 21:46:17 \u003clocal0.info\u003e 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "severity": 6, + "timezone": "+00:00" + }, + "http": { + "request": { + "id": "535", + "method": "GET" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.22.0.4:41588" + } + }, + "message": "Disallow Illegal URL.", + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54711 + }, + "tags": [ + "preserve_original_event", + "citrix_waf", + "forwarded" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/login_post.html?abc\\=def", + "path": "/FFC/login_post.html", + "query": "abc\\=def", + "scheme": "http" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| citrix.cef_format | Whether the logging is in Citrix CEF format. | boolean | +| citrix.cef_version | The CEF format version used in the logs. | keyword | +| citrix.default_class | Whether the event class was the default. | boolean | +| citrix.detail | The CEF or Citrix Native format details for the event. | keyword | +| citrix.device_event_class_id | The ID of the event class. | keyword | +| citrix.device_product | The model of the appliance. | keyword | +| citrix.device_vendor | The name of the vendor for the device. | keyword | +| citrix.device_version | The version of the device. | keyword | +| citrix.extended | Additional data associated with the event. | flattened | +| citrix.facility | The logging facility. | keyword | +| citrix.host | The name of the host receiving the logs. | keyword | +| citrix.name | The name of the security check. | keyword | +| citrix.ppe_id | Packet Processing Engine ID. | keyword | +| citrix.priority | The logging priority. | keyword | +| citrix.profile_name | The name of the profile that raised the event. | keyword | +| citrix.session_id | The ID for the session. | keyword | +| citrix.severity | The severity of the event. | keyword | +| citrix.signature_violation_category | The category that the violation is grouped into. | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/citrix_waf/1.1.2/img/Citrix_Systems_logo.svg b/packages/citrix_waf/1.1.2/img/Citrix_Systems_logo.svg new file mode 100755 index 0000000000..607b816712 --- /dev/null +++ b/packages/citrix_waf/1.1.2/img/Citrix_Systems_logo.svg @@ -0,0 +1,29 @@ + + + +Citrix_Logo_Trademark_RGB + + + + + + + + + + + + + + diff --git a/packages/citrix_waf/1.1.2/img/dashboard.png b/packages/citrix_waf/1.1.2/img/dashboard.png new file mode 100755 index 0000000000..53bac53200 Binary files /dev/null and b/packages/citrix_waf/1.1.2/img/dashboard.png differ diff --git a/packages/citrix_waf/1.1.2/kibana/dashboard/citrix_waf-4b27aee0-0893-11ed-aba8-a72ea09ca7ef.json b/packages/citrix_waf/1.1.2/kibana/dashboard/citrix_waf-4b27aee0-0893-11ed-aba8-a72ea09ca7ef.json new file mode 100755 index 0000000000..bd5561e965 --- /dev/null +++ b/packages/citrix_waf/1.1.2/kibana/dashboard/citrix_waf-4b27aee0-0893-11ed-aba8-a72ea09ca7ef.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"05c27a00-9a41-400a-a761-748dcea885fe\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.action\",\"title\":\"Action\",\"id\":\"05c27a00-9a41-400a-a761-748dcea885fe\",\"enhancements\":{}}},\"0874b3e1-1b97-4b3c-a9cd-5dd77317ffb7\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"rangeSliderControl\",\"explicitInput\":{\"fieldName\":\"event.severity\",\"title\":\"ECS Severity\",\"id\":\"0874b3e1-1b97-4b3c-a9cd-5dd77317ffb7\",\"enhancements\":{}}},\"e5968e79-fb9b-496b-82fb-7d87fcbbbd69\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"citrix.facility\",\"title\":\"Citrix Facility\",\"id\":\"e5968e79-fb9b-496b-82fb-7d87fcbbbd69\",\"enhancements\":{}}},\"cef9c0d6-e031-4039-b9ef-e02b38142551\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"citrix.severity\",\"title\":\"Citrix Severity\",\"id\":\"cef9c0d6-e031-4039-b9ef-e02b38142551\",\"enhancements\":{}}}}" + }, + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"citrix_waf.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"citrix_waf.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80132ca5-df3b-40d7-bd11-c2b77fb67552\":{\"columnOrder\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\",\"46705516-327f-4b4e-9faa-25f39f59716b\"],\"columns\":{\"46705516-327f-4b4e-9faa-25f39f59716b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae54b93c-ae22-4813-8929-c250f73a69dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\"],\"layerId\":\"80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"526b0bbf-6467-4f9f-b354-fabcd1775f54\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"526b0bbf-6467-4f9f-b354-fabcd1775f54\",\"title\":\"Event Actions\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f1223de-cad4-4d87-8883-57f324f04f11\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f1223de-cad4-4d87-8883-57f324f04f11\":{\"columnOrder\":[\"0f4f2383-3dca-4200-8b05-c95f20050c94\",\"4374b0cf-166b-400e-966a-f60ae3f99bcd\"],\"columns\":{\"0f4f2383-3dca-4200-8b05-c95f20050c94\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"ECS Event Severity\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.severity\"},\"4374b0cf-166b-400e-966a-f60ae3f99bcd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"4374b0cf-166b-400e-966a-f60ae3f99bcd\"],\"layerId\":\"2f1223de-cad4-4d87-8883-57f324f04f11\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"0f4f2383-3dca-4200-8b05-c95f20050c94\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"75e76449-036b-46e9-b990-a27affdbf5aa\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"75e76449-036b-46e9-b990-a27affdbf5aa\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80132ca5-df3b-40d7-bd11-c2b77fb67552\":{\"columnOrder\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\",\"46705516-327f-4b4e-9faa-25f39f59716b\"],\"columns\":{\"46705516-327f-4b4e-9faa-25f39f59716b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae54b93c-ae22-4813-8929-c250f73a69dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of citrix.facility\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"citrix.facility\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\"],\"layerId\":\"80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"415ab6a2-1eae-4ba4-b27a-64ebb8e1a076\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"415ab6a2-1eae-4ba4-b27a-64ebb8e1a076\",\"title\":\"Citrix Facitities\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80132ca5-df3b-40d7-bd11-c2b77fb67552\":{\"columnOrder\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\",\"46705516-327f-4b4e-9faa-25f39f59716b\"],\"columns\":{\"46705516-327f-4b4e-9faa-25f39f59716b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae54b93c-ae22-4813-8929-c250f73a69dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of citrix.severity\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"citrix.severity\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\"],\"layerId\":\"80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"af63a4b5-314c-4fbc-8295-f7e6be3e4f36\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"af63a4b5-314c-4fbc-8295-f7e6be3e4f36\",\"title\":\"Citrix Severities\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b495f7a6-78bd-4e19-b18b-5d098862bdab\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"e261c702-dde7-47a6-b74b-6a2d49716436\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b495f7a6-78bd-4e19-b18b-5d098862bdab\":{\"columnOrder\":[\"a2f9bbce-1617-456b-8ed3-ddfe2beaeead\",\"784d917b-92bd-4953-a62c-5703ac07470e\"],\"columns\":{\"784d917b-92bd-4953-a62c-5703ac07470e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"a2f9bbce-1617-456b-8ed3-ddfe2beaeead\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"e261c702-dde7-47a6-b74b-6a2d49716436\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"citrix_waf.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"citrix_waf.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"784d917b-92bd-4953-a62c-5703ac07470e\"],\"layerId\":\"b495f7a6-78bd-4e19-b18b-5d098862bdab\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"a2f9bbce-1617-456b-8ed3-ddfe2beaeead\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"0761950e-d681-4b55-91fa-6bc6124d631e\",\"w\":48,\"x\":0,\"y\":8},\"panelIndex\":\"0761950e-d681-4b55-91fa-6bc6124d631e\",\"title\":\"Events Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b495f7a6-78bd-4e19-b18b-5d098862bdab\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"cae4bf50-95c9-441a-899f-046ba3a65fa2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b495f7a6-78bd-4e19-b18b-5d098862bdab\":{\"columnOrder\":[\"a2f9bbce-1617-456b-8ed3-ddfe2beaeead\",\"2c759caf-3948-4813-a695-c2babdf1e659\",\"d93d5f11-48de-41cf-b5ec-ce2ed5acabc1\"],\"columns\":{\"2c759caf-3948-4813-a695-c2babdf1e659\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Moving average of Last value of event.severity\",\"operationType\":\"moving_average\",\"params\":{\"window\":5},\"references\":[\"d93d5f11-48de-41cf-b5ec-ce2ed5acabc1\"],\"scale\":\"ratio\"},\"a2f9bbce-1617-456b-8ed3-ddfe2beaeead\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d93d5f11-48de-41cf-b5ec-ce2ed5acabc1\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Last value of event.severity\",\"operationType\":\"last_value\",\"params\":{\"sortField\":\"@timestamp\"},\"scale\":\"ratio\",\"sourceField\":\"event.severity\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"cae4bf50-95c9-441a-899f-046ba3a65fa2\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"citrix_waf.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"citrix_waf.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2c759caf-3948-4813-a695-c2babdf1e659\"],\"layerId\":\"b495f7a6-78bd-4e19-b18b-5d098862bdab\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"a2f9bbce-1617-456b-8ed3-ddfe2beaeead\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"b4cf1452-2700-4760-a89d-44d8b3e9bc7e\",\"w\":48,\"x\":0,\"y\":18},\"panelIndex\":\"b4cf1452-2700-4760-a89d-44d8b3e9bc7e\",\"title\":\"Moving Average of Event Severities Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\":{\"columnOrder\":[\"31055bcb-d47f-45ac-b910-72984ede478c\",\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\"],\"columns\":{\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"31055bcb-d47f-45ac-b910-72984ede478c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of url.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"31055bcb-d47f-45ac-b910-72984ede478c\"],\"layerId\":\"bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4d3dede9-186e-4127-8993-5144ad8f59e5\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"4d3dede9-186e-4127-8993-5144ad8f59e5\",\"title\":\"Top 10 Request Domains\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\":{\"columnOrder\":[\"31055bcb-d47f-45ac-b910-72984ede478c\",\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\"],\"columns\":{\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"31055bcb-d47f-45ac-b910-72984ede478c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of url.path\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"url.path\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"31055bcb-d47f-45ac-b910-72984ede478c\"],\"layerId\":\"bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"3c3d307b-bc6e-4202-a41c-6babfc6e5685\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"3c3d307b-bc6e-4202-a41c-6babfc6e5685\",\"title\":\"Top 10 Request Paths\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\":{\"columnOrder\":[\"31055bcb-d47f-45ac-b910-72984ede478c\",\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\"],\"columns\":{\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"31055bcb-d47f-45ac-b910-72984ede478c\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of url.query\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"url.query\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"31055bcb-d47f-45ac-b910-72984ede478c\"],\"layerId\":\"bb8ab193-d9b7-4e2c-822a-ef9d82bac12e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1869dba7-0923-4cbb-996d-1c9bb0f88ee2\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"458e379f-0533-473e-a07c-e569faa6035d\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"458e379f-0533-473e-a07c-e569faa6035d\",\"title\":\"Top 10 Request Queries\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"locale\\\":\\\"autoselect\\\",\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"d3f9f943-81a7-44b3-aa77-b23191957f8a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"7ab6c6bd-2dac-4880-b62a-1c6267d9f077\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Blues\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"0fa3ad86-430e-41f1-a237-b812f4c348f9\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"FINE\\\",\\\"id\\\":\\\"77e0ca59-401a-40d5-99c1-0a51df08db3d\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_2_source_index_pattern\\\"},\\\"id\\\":\\\"206d9e05-9e93-437a-b5e9-bc25edaa2d7f\\\",\\\"label\\\":\\\"Source Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Yellow to Red\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"client.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"810e7318-8d40-41d0-b855-d6b52decce9c\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_3_source_index_pattern\\\"},\\\"id\\\":\\\"33096e12-68ec-4dbf-b76a-5a429711fe37\\\",\\\"label\\\":\\\"Client Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Greens\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.86,\\\"center\\\":{\\\"lon\\\":-0.56851,\\\"lat\\\":22.82541},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d/d\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-180},\"mapCenter\":{\"lat\":28.13308,\"lon\":0.60997,\"zoom\":0.79},\"openTOCDetails\":[]},\"gridData\":{\"h\":26,\"i\":\"81cac47e-b5d4-4d11-8815-be3edda41e0c\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"81cac47e-b5d4-4d11-8815-be3edda41e0c\",\"title\":\"Source/Client Connections\",\"type\":\"map\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80132ca5-df3b-40d7-bd11-c2b77fb67552\":{\"columnOrder\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\",\"46705516-327f-4b4e-9faa-25f39f59716b\"],\"columns\":{\"46705516-327f-4b4e-9faa-25f39f59716b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae54b93c-ae22-4813-8929-c250f73a69dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\"],\"layerId\":\"80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"1ebf8aaf-b90a-4aeb-ac1b-e1c5ba127511\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"1ebf8aaf-b90a-4aeb-ac1b-e1c5ba127511\",\"title\":\"Top 10 Source Countries\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80132ca5-df3b-40d7-bd11-c2b77fb67552\":{\"columnOrder\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\",\"46705516-327f-4b4e-9faa-25f39f59716b\"],\"columns\":{\"46705516-327f-4b4e-9faa-25f39f59716b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae54b93c-ae22-4813-8929-c250f73a69dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of client.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"client.geo.country_name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae54b93c-ae22-4813-8929-c250f73a69dd\"],\"layerId\":\"80132ca5-df3b-40d7-bd11-c2b77fb67552\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"46705516-327f-4b4e-9faa-25f39f59716b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"623657c7-8429-497d-acfa-c373085adc7e\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"623657c7-8429-497d-acfa-c373085adc7e\",\"title\":\"Top 10 Client Countries\",\"type\":\"lens\",\"version\":\"8.3.2\"}]", + "timeRestore": false, + "title": "[Citrix Web Application Firewall] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.3.2", + "id": "citrix_waf-4b27aee0-0893-11ed-aba8-a72ea09ca7ef", + "migrationVersion": { + "dashboard": "8.3.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "526b0bbf-6467-4f9f-b354-fabcd1775f54:indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "75e76449-036b-46e9-b990-a27affdbf5aa:indexpattern-datasource-layer-2f1223de-cad4-4d87-8883-57f324f04f11", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "415ab6a2-1eae-4ba4-b27a-64ebb8e1a076:indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "af63a4b5-314c-4fbc-8295-f7e6be3e4f36:indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0761950e-d681-4b55-91fa-6bc6124d631e:indexpattern-datasource-layer-b495f7a6-78bd-4e19-b18b-5d098862bdab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0761950e-d681-4b55-91fa-6bc6124d631e:e261c702-dde7-47a6-b74b-6a2d49716436", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b4cf1452-2700-4760-a89d-44d8b3e9bc7e:indexpattern-datasource-layer-b495f7a6-78bd-4e19-b18b-5d098862bdab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b4cf1452-2700-4760-a89d-44d8b3e9bc7e:cae4bf50-95c9-441a-899f-046ba3a65fa2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3dede9-186e-4127-8993-5144ad8f59e5:indexpattern-datasource-layer-bb8ab193-d9b7-4e2c-822a-ef9d82bac12e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3c3d307b-bc6e-4202-a41c-6babfc6e5685:indexpattern-datasource-layer-bb8ab193-d9b7-4e2c-822a-ef9d82bac12e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "458e379f-0533-473e-a07c-e569faa6035d:indexpattern-datasource-layer-bb8ab193-d9b7-4e2c-822a-ef9d82bac12e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "81cac47e-b5d4-4d11-8815-be3edda41e0c:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "81cac47e-b5d4-4d11-8815-be3edda41e0c:layer_2_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "81cac47e-b5d4-4d11-8815-be3edda41e0c:layer_3_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1ebf8aaf-b90a-4aeb-ac1b-e1c5ba127511:indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "623657c7-8429-497d-acfa-c373085adc7e:indexpattern-datasource-layer-80132ca5-df3b-40d7-bd11-c2b77fb67552", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_05c27a00-9a41-400a-a761-748dcea885fe:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_0874b3e1-1b97-4b3c-a9cd-5dd77317ffb7:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e5968e79-fb9b-496b-82fb-7d87fcbbbd69:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_cef9c0d6-e031-4039-b9ef-e02b38142551:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/citrix_waf/1.1.2/manifest.yml b/packages/citrix_waf/1.1.2/manifest.yml new file mode 100755 index 0000000000..5fc162ab87 --- /dev/null +++ b/packages/citrix_waf/1.1.2/manifest.yml @@ -0,0 +1,40 @@ +format_version: 1.0.0 +name: citrix_waf +title: "Citrix Web App Firewall" +version: 1.1.2 +license: basic +description: Ingest events from Citrix Systems Web App Firewall. +type: integration +categories: + - monitoring + - network + - security +release: ga +conditions: + kibana.version: "^8.3.0" +icons: + - src: /img/Citrix_Systems_logo.svg + title: Citrix Systems + size: 32x32 + type: image/svg+xml +screenshots: + - src: /img/dashboard.png + title: Citrix WAF Overview + size: 3352x3206 + type: image/png +policy_templates: + - name: citrix_waf + title: Citrix Web App Firewall logs + description: Collect logs from Citrix Web App Firewall instances + inputs: + - type: tcp + title: Collect logs from Citrix Web App Firewall via TCP + description: Collecting logs from Citrix Web App Firewall via TCP + - type: udp + title: Collect logs from Citrix Web App Firewall via UDP + description: Collecting logs from Citrix Web App Firewall via UDP + - type: logfile + title: Collect logs from Citrix Web App Firewall via file + description: Collecting logs from Citrix Web App Firewall via file +owner: + github: elastic/security-external-integrations diff --git a/packages/cloudflare/2.2.4/LICENSE.txt b/packages/cloudflare/2.2.4/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cloudflare/2.2.4/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cloudflare/2.2.4/changelog.yml b/packages/cloudflare/2.2.4/changelog.yml new file mode 100755 index 0000000000..76b12772ca --- /dev/null +++ b/packages/cloudflare/2.2.4/changelog.yml @@ -0,0 +1,141 @@ +# newer versions go on top +- version: "2.2.4" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4401 +- version: "2.2.3" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.2.2" + changes: + - description: Fix pagination issue. + type: bugfix + link: https://github.com/elastic/integrations/issues/4196 +- version: "2.2.1" + changes: + - description: Remove unused visualizations + type: enhancement + link: https://github.com/elastic/integrations/issues/3975 +- version: "2.2.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3843 +- version: "2.1.3" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "2.1.2" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "2.1.1" + changes: + - description: Fixing possible indefinite pagination + type: bugfix + link: https://github.com/elastic/integrations/pull/3651 +- version: "2.1.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.0.1" + changes: + - description: Add link to vendor documentation in readme + type: enhancement + link: https://github.com/elastic/integrations/pull/3224 +- version: "2.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3263 +- version: "1.4.2" + changes: + - description: Update documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3228 +- version: "1.4.1" + changes: + - description: Add `_id` field to the logpull data stream to deduplicate events. + type: enhancement + link: https://github.com/elastic/integrations/pull/3187 +- version: "1.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.3.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.3.1" + changes: + - description: Allow logpull interval to be less than 2 minutes. + type: bugfix + link: https://github.com/elastic/integrations/pull/2787 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2397 +- version: "1.2.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.0" + changes: + - description: Add audit logs + type: enhancement + link: https://github.com/elastic/integrations/pull/2294 +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2243 +- version: "1.0.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2020 +- version: "1.0.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1960 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1811 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1628 +- version: "0.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1654 +- version: "0.1.1" + changes: + - description: Add proxy config + type: enhancement + link: https://github.com/elastic/integrations/pull/1648 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/984 diff --git a/packages/cloudflare/2.2.4/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/cloudflare/2.2.4/data_stream/audit/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..75b468e566 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/agent/stream/httpjson.yml.hbs @@ -0,0 +1,62 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +request.url: {{api_url}}/client/v4/accounts/{{account}}/audit_logs?page=1&direction=desc +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.X-Auth-Email + value: "{{auth_email}}" + - set: + target: header.X-Auth-Key + value: "{{auth_key}}" + - set: + target: url.params.since + value: "[[.cursor.last_timestamp]]" + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + +response.split: + target: body.result +response.pagination: +- set: + target: url.params.page + value: '[[if (ne (len .last_response.body.result) 0)]][[add .last_response.page 1]][[end]]' + fail_on_template_error: true + +cursor: + last_timestamp: + value: "[[.first_event.when]]" + fail_on_template_error: true + +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +- add_fields: + target: _config + fields: + account_id: {{account}} +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare/2.2.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..b059eaae03 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,276 @@ +--- +description: Pipeline for parsing cloudflare audit logs +processors: +- set: + field: ecs.version + value: '8.4.0' +- rename: + field: message + target_field: event.original +- json: + field: event.original + target_field: json +- set: + field: cloud.provider + value: cloudflare +- set: + field: cloud.account.id + copy_from: _config.account_id + ignore_empty_value: true +- date: + field: json.when + formats: + - ISO8601 + timezone: UTC + target_field: "@timestamp" +- rename: + field: json.action.type + target_field: event.action + ignore_missing: true +- lowercase: + field: event.action + ignore_missing: true +- set: + field: event.outcome + value: success + if: ctx.json?.action?.result +- set: + field: event.outcome + value: failure + if: "!ctx.json?.action?.result" +- rename: + field: json.actor.email + target_field: user.email + ignore_missing: true +- rename: + field: json.actor.id + target_field: user.id + ignore_missing: true +- rename: + field: json.actor.ip + target_field: source.address + ignore_missing: true +- convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: json.actor.type + target_field: cloudflare.audit.actor.type + ignore_missing: true +- rename: + field: json.id + target_field: event.id + ignore_missing: true +- fingerprint: + fields: + - event.id + target_field: _id + ignore_missing: true +- rename: + field: json.interface + target_field: event.provider + ignore_missing: true + if: ctx.json?.interface != "" +- rename: + field: json.metadata + target_field: cloudflare.audit.metadata + ignore_missing: true +- rename: + field: json.newValueJson + target_field: cloudflare.audit.new_value + ignore_missing: true +- rename: + field: json.oldValueJson + target_field: cloudflare.audit.old_value + ignore_missing: true +- rename: + field: json.newValue + target_field: cloudflare.audit.new_value.value + ignore_missing: true + if: ctx.json?.newValue != "null" +- rename: + field: json.oldValue + target_field: cloudflare.audit.old_value.value + ignore_missing: true + if: ctx.json?.oldValue != "null" +- rename: + field: json.owner.id + target_field: cloudflare.audit.owner.id + ignore_missing: true +- rename: + field: json.resource + target_field: cloudflare.audit.resource + ignore_missing: true +- append: + field: related.user + value: "{{user.id}}" + allow_duplicates: false + if: ctx.user?.id != null +- append: + field: related.user + value: "{{cloudflare.audit.resource.id}}" + allow_duplicates: false + if: ctx.cloudflare?.audit?.resource?.id != null && ctx.cloudflare?.audit?.resource?.type == "user" +- append: + field: related.ip + value: "{{source.ip}}" + if: ctx.source?.ip != null +- script: + lang: painless + tag: Add ECS categorization + params: + login: + category: + - authentication + type: + - info + outcome: success + token_create: + category: + - iam + type: + - creation + token_revoke: + category: + - iam + type: + - deletion + token_roll: + category: + - iam + type: + - change + api_key_view: + category: + - iam + type: + - info + rotate_api_key: + category: + - iam + type: + - change + api_key_created: + category: + - iam + type: + - creation + purge: + category: + - configuration + type: + - deletion + tls_settings_deployed: + category: + - configuration + type: + - info + add: + category: + - configuration + type: + - creation + delete: + category: + - configuration + type: + - deletion + rec_add: + category: + - configuration + type: + - creation + rec_del: + category: + - configuration + type: + - deletion + pending: + category: + - configuration + type: + - info + change_setting: + category: + - configuration + type: + - change + add_enforce_twofactor: + category: + - iam + - configuration + type: + - admin + - info + source: >- + ctx.event.kind = 'event'; + ctx.event.type = 'info'; + if (ctx?.event?.action == null) { + return; + } + if (params.get(ctx.event.action) == null) { + return; + } + def hm = new HashMap(params.get(ctx.event.action)); + hm.forEach((k, v) -> ctx.event[k] = v); +- remove: + field: + - json + - _config + ignore_missing: true +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cloudflare/2.2.4/data_stream/audit/fields/agent.yml b/packages/cloudflare/2.2.4/data_stream/audit/fields/agent.yml new file mode 100755 index 0000000000..62ab051948 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/fields/agent.yml @@ -0,0 +1,112 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Instance name of the host machine. + name: cloud.instance.name + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + The cloud project identifier. + Examples: Google Cloud Project id, Azure Project id. + name: cloud.project.id + type: keyword +- description: Image ID for the cloud instance. + name: cloud.image.id + type: keyword +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Name of the domain of which the host is a member. + For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + name: host.domain + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: host.os.family + type: keyword +- description: Operating system kernel version as a raw string. + name: host.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: host.os.platform + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + name: host.type + type: keyword +- description: If the host is a container. + name: host.containerized + type: boolean +- description: OS build information. + name: host.os.build + type: keyword +- description: OS codename, if any. + name: host.os.codename + type: keyword diff --git a/packages/cloudflare/2.2.4/data_stream/audit/fields/base-fields.yml b/packages/cloudflare/2.2.4/data_stream/audit/fields/base-fields.yml new file mode 100755 index 0000000000..41565c62c3 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cloudflare +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cloudflare.audit +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cloudflare/2.2.4/data_stream/audit/fields/beats.yml b/packages/cloudflare/2.2.4/data_stream/audit/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/cloudflare/2.2.4/data_stream/audit/fields/ecs.yml b/packages/cloudflare/2.2.4/data_stream/audit/fields/ecs.yml new file mode 100755 index 0000000000..32424b1170 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/fields/ecs.yml @@ -0,0 +1,109 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword diff --git a/packages/cloudflare/2.2.4/data_stream/audit/fields/fields.yml b/packages/cloudflare/2.2.4/data_stream/audit/fields/fields.yml new file mode 100755 index 0000000000..5036e91dbb --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/fields/fields.yml @@ -0,0 +1,40 @@ +- name: cloudflare.audit + type: group + description: > + Fields for Cloudflare Audit Logs + + fields: + - name: metadata + type: flattened + description: > + An object which can lend more context to the action being logged. This is a flexible value and varies between different actions. + + - name: actor.type + type: keyword + description: > + The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare. + + - name: owner.id + type: keyword + description: > + User identifier tag + + - name: resource.id + type: keyword + description: > + An identifier for the resource that was affected by the action + + - name: resource.type + type: keyword + description: > + A short string that describes the resource that was affected by the action + + - name: new_value + type: flattened + description: > + The new value of the resource that was modified + + - name: old_value + type: flattened + description: >- + The value of the resource before it was modified diff --git a/packages/cloudflare/2.2.4/data_stream/audit/manifest.yml b/packages/cloudflare/2.2.4/data_stream/audit/manifest.yml new file mode 100755 index 0000000000..b7ba0a75c4 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/manifest.yml @@ -0,0 +1,68 @@ +type: logs +title: Cloudflare Audit Logs +streams: + - input: httpjson + vars: + - name: auth_email + type: text + title: Auth Email + description: The Auth Email. Needs to be used with an Auth Key. + multi: false + required: true + show_user: true + - name: auth_key + type: password + title: Auth Key + description: The Auth Key. Needs to be used with an Auth Email. + multi: false + required: true + show_user: true + - name: account + type: text + title: Account ID + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + description: Interval at which the logs will be pulled. The value must be between 2m and 1h. + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + description: Initial interval at which the logs will be pulled. Defaults to 30 days (720 hours). Max is 12960 hours (18 months). + default: 720h + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - forwarded + - cloudflare-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" + template_path: httpjson.yml.hbs + title: Cloudflare Audit logs + description: Collect Cloudflare Audit logs via the API diff --git a/packages/cloudflare/2.2.4/data_stream/audit/sample_event.json b/packages/cloudflare/2.2.4/data_stream/audit/sample_event.json new file mode 100755 index 0000000000..39d844d4d0 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/audit/sample_event.json @@ -0,0 +1,84 @@ +{ + "@timestamp": "2021-11-30T13:42:04.000Z", + "agent": { + "ephemeral_id": "be28c4d0-164a-4115-81b7-ace36fc400f4", + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cloud": { + "account": { + "id": "aaabbbccc" + }, + "provider": "cloudflare" + }, + "cloudflare": { + "audit": { + "actor": { + "type": "user" + }, + "owner": { + "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" + }, + "resource": { + "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", + "type": "account" + } + } + }, + "data_stream": { + "dataset": "cloudflare.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "rotate_api_key", + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2021-12-30T04:58:37.412Z", + "dataset": "cloudflare.audit", + "id": "8d3396e8-c903-5a66-9421-00fc34570550", + "ingested": "2021-12-30T04:58:38Z", + "kind": "event", + "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "ip": [ + "52.91.36.10" + ], + "user": [ + "enl3j9du8rnx2swwd9l32qots7l54t9s" + ] + }, + "source": { + "address": "52.91.36.10", + "ip": "52.91.36.10" + }, + "tags": [ + "forwarded", + "cloudflare-audit", + "preserve_original_event" + ], + "user": { + "email": "user@example.com", + "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" + } +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/agent/stream/httpjson.yml.hbs b/packages/cloudflare/2.2.4/data_stream/logpull/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..54eb358869 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/agent/stream/httpjson.yml.hbs @@ -0,0 +1,64 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +request.url: {{api_url}}/client/v4/zones/{{zone_id}}/logs/received +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: +{{#if auth_token}} + - set: + target: header.Authorization + value: "Bearer {{auth_token}}" +{{else}} + - set: + target: header.X-Auth-Email + value: "{{auth_email}}" + - set: + target: header.X-Auth-Key + value: "{{auth_key}}" +{{/if}} + - set: + target: url.params.start + value: "[[.cursor.last_execution_datetime]]" + default: '[[formatDate (((now).Add (parseDuration "-1m")).Add (parseDuration "-{{interval}}"))]]' + - set: + target: url.params.end + value: '[[formatDate ((parseDate .cursor.last_execution_datetime).Add (parseDuration "{{interval}}"))]]' + default: '[[formatDate ((now).Add (parseDuration "-1m"))]]' + - set: + target: url.params.fields + value: CacheCacheStatus,CacheResponseBytes,CacheResponseStatus,CacheTieredFill,ClientASN,ClientCountry,ClientDeviceType,ClientIP,ClientIPClass,ClientRequestBytes,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestReferer,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientSrcPort,ClientXRequestedWith,EdgeColoCode,EdgeColoID,EdgeEndTimestamp,EdgePathingOp,EdgePathingSrc,EdgePathingStatus,EdgeRateLimitAction,EdgeRateLimitID,EdgeRequestHost,EdgeResponseBytes,EdgeResponseCompressionRatio,EdgeResponseContentType,EdgeResponseStatus,EdgeServerIP,EdgeStartTimestamp,FirewallMatchesActions,FirewallMatchesRuleIDs,FirewallMatchesSources,OriginIP,OriginResponseBytes,OriginResponseHTTPExpires,OriginResponseHTTPLastModified,OriginResponseStatus,OriginResponseTime,OriginSSLProtocol,ParentRayID,RayID,SecurityLevel,WAFAction,WAFFlags,WAFMatchedVar,WAFProfile,WAFRuleID,WAFRuleMessage,WorkerCPUTime,WorkerStatus,WorkerSubrequest,WorkerSubrequestCount,ZoneID,Action + +response.decode_as: application/x-ndjson + +cursor: + last_execution_datetime: + value: '[[.last_response.url.params.Get "end"]]' + +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml b/packages/cloudflare/2.2.4/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..de78b1393c --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,64 @@ +--- +description: Pipeline for parsing cloudflare logs +processors: +- set: + field: ecs.version + value: '8.4.0' +- rename: + field: message + target_field: event.original +- json: + field: event.original + target_field: json +- set: + field: observer.vendor + value: cloudflare +- set: + field: observer.type + value: proxy +- fingerprint: + fields: + - event.original + target_field: "_id" + ignore_missing: true +- pipeline: + name: '{{ IngestPipeline "http" }}' + if: "ctx.json?.EdgeRequestHost != null" +- remove: + field: + - json + ignore_missing: true +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml b/packages/cloudflare/2.2.4/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml new file mode 100755 index 0000000000..afa6a45a5d --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/elasticsearch/ingest_pipeline/http.yml @@ -0,0 +1,475 @@ +--- +description: Pipeline for parsing cloudflare http logs +processors: +# Event Time Fields +- convert: + field: json.EdgeStartTimestamp + type: string +- convert: + field: json.EdgeEndTimestamp + type: string +- gsub: + field: json.EdgeStartTimestamp + pattern: "\\d{6}$" + replacement: "" + if: "ctx?.json?.EdgeStartTimestamp != null && (ctx?.json?.EdgeStartTimestamp).length() > 18" +- gsub: + field: json.EdgeEndTimestamp + pattern: "\\d{6}$" + replacement: "" + if: "ctx?.json?.EdgeEndTimestamp != null && (ctx?.json?.EdgeEndTimestamp).length() > 18" +- date: + field: json.EdgeStartTimestamp + formats: + - ISO8601 + - uuuu-MM-dd'T'HH:mm:ssX + - uuuu-MM-dd'T'HH:mm:ss.SSSX + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - UNIX_MS + timezone: UTC + target_field: "@timestamp" +- date: + field: json.EdgeStartTimestamp + formats: + - uuuu-MM-dd'T'HH:mm:ssX + - uuuu-MM-dd'T'HH:mm:ss.SSSX + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - UNIX_MS + timezone: UTC + target_field: "event.start" +- date: + field: json.EdgeEndTimestamp + formats: + - uuuu-MM-dd'T'HH:mm:ssX + - uuuu-MM-dd'T'HH:mm:ss.SSSX + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - UNIX_MS + timezone: UTC + target_field: "event.end" +- script: + lang: painless + if: ctx?.event?.start != null && ctx?.event?.end != null + source: >- + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); +# TLS Fields +- rename: + field: json.ClientSSLProtocol + target_field: cloudflare.client.ssl.protocol + ignore_missing: true + if: ctx?.json?.ClientSSLProtocol.toLowerCase() != 'none' +- rename: + field: json.ClientSSLCipher + target_field: tls.cipher + ignore_missing: true + if: ctx?.json?.ClientSSLCipher.toLowerCase() != 'none' +- dissect: + field: cloudflare.client.ssl.protocol + pattern: "%{tls.version_protocol}v%{tls.version}" + ignore_failure: true + ignore_missing: true +- lowercase: + field: tls.version_protocol + ignore_missing: true +# URL Fields +- uri_parts: + field: json.ClientRequestURI + ignore_failure: true + if: ctx?.json?.ClientRequestURI != null +- set: + field: url.domain + copy_from: json.ClientRequestHost + ignore_empty_value: true + if: ctx?.url?.domain == null +- set: + field: url.path + copy_from: json.ClientRequestPath + ignore_empty_value: true + if: ctx?.url?.path == null +- set: + field: url.scheme + copy_from: json.ClientRequestScheme + ignore_empty_value: true + if: ctx?.url?.scheme == null +- set: + field: url.scheme + value: https + ignore_empty_value: true + if: ctx?.url?.scheme == null && ctx?.cloudflare?.client?.ssl?.protocol != null +- set: + field: url.scheme + value: http + ignore_empty_value: true + if: ctx?.url?.scheme == null +- script: + lang: painless + description: This script builds the `url.full` field out of the available `url.*` parts. + source: | + def full = ""; + if(ctx.url.scheme != null && ctx.url.scheme != "") { + full += ctx.url.scheme+"://"; + } + if(ctx.url.domain != null && ctx.url.domain != "") { + full += ctx.url.domain; + } + if(ctx.url.path != null && ctx.url.path != "") { + full += ctx.url.path; + } + if(ctx.url.query != null && ctx.url.query != "") { + full += "?"+ctx.url.query; + } + if(full != "") { + ctx.url.full = full + } +# User Agent Fields +- user_agent: + field: json.ClientRequestUserAgent + target_field: user_agent + ignore_missing: true +# Observer Fields +- rename: + field: json.EdgeServerIP + target_field: observer.ip + ignore_missing: true + if: ctx?.json?.EdgeServerIP != '' +- geoip: + field: observer.ip + target_field: observer.geo + ignore_missing: true +# Cloudflare Cache Fields +- rename: + field: json.CacheCacheStatus + target_field: cloudflare.cache.status + ignore_missing: true +- rename: + field: json.CacheTieredFill + target_field: cloudflare.cache.tiered_fill + ignore_missing: true +- convert: + field: json.CacheResponseBytes + target_field: cloudflare.cache.bytes + type: long + ignore_missing: true + if: ctx?.json?.CacheResponseBytes != 0 +- convert: + field: json.CacheResponseStatus + target_field: cloudflare.cache.status_code + type: long + ignore_missing: true + if: ctx?.json?.CacheResponseStatus != 0 +# Cloudflare Edge Fields +- rename: + field: json.EdgeColoCode + target_field: cloudflare.edge.colo.code + ignore_missing: true +- rename: + field: json.EdgeColoID + target_field: cloudflare.edge.colo.id + ignore_missing: true +- rename: + field: json.EdgePathingOp + target_field: cloudflare.edge.pathing.op + ignore_missing: true +- rename: + field: json.EdgePathingSrc + target_field: cloudflare.edge.pathing.src + ignore_missing: true +- rename: + field: json.EdgePathingStatus + target_field: cloudflare.edge.pathing.status + ignore_missing: true +- rename: + field: json.EdgeRateLimitAction + target_field: cloudflare.edge.rate_limit.action + ignore_missing: true +- rename: + field: json.EdgeRateLimitID + target_field: cloudflare.edge.rate_limit.id + ignore_missing: true +- rename: + field: json.EdgeRequestHost + target_field: cloudflare.edge.request.host + ignore_missing: true +- convert: + field: json.EdgeResponseBytes + target_field: cloudflare.edge.response.bytes + type: long + ignore_missing: true +- rename: + field: json.EdgeResponseStatus + target_field: cloudflare.edge.response.status_code + ignore_missing: true +- rename: + field: json.EdgeResponseCompressionRatio + target_field: cloudflare.edge.response.compression_ratio + ignore_missing: true +- rename: + field: json.EdgeResponseContentType + target_field: cloudflare.edge.response.content_type + ignore_missing: true +- convert: + field: json.EdgeResponseBodyBytes + target_field: cloudflare.edge.response.body.bytes + type: long + ignore_missing: true +# Cloudflare Firewall Fields +- rename: + field: json.FirewallMatchesActions + target_field: cloudflare.firewall.actions + ignore_missing: true +- rename: + field: json.FirewallMatchesSources + target_field: cloudflare.firewall.sources + ignore_missing: true +- rename: + field: json.FirewallMatchesRuleIDs + target_field: cloudflare.firewall.rule_ids + ignore_missing: true +# Cloudflare WAF Fields +- rename: + field: json.WAFAction + target_field: cloudflare.waf.action + ignore_missing: true +- rename: + field: json.WAFFlags + target_field: cloudflare.waf.flags + ignore_missing: true +- rename: + field: json.WAFMatchedVar + target_field: cloudflare.waf.matched_var + ignore_missing: true +- rename: + field: json.WAFProfile + target_field: cloudflare.waf.profile + ignore_missing: true +- rename: + field: json.WAFRuleID + target_field: cloudflare.waf.rule.id + ignore_missing: true +- rename: + field: json.WAFRuleMessage + target_field: cloudflare.waf.rule.message + ignore_missing: true +# CLoudflare Worker Fields +- convert: + field: json.WorkerCPUTime + target_field: cloudflare.worker.cpu_time + type: long + ignore_missing: true +- rename: + field: json.WorkerStatus + target_field: cloudflare.worker.status + ignore_missing: true +- rename: + field: json.WorkerSubrequest + target_field: cloudflare.worker.subrequest + ignore_missing: true +- convert: + field: json.WorkerSubrequestCount + target_field: cloudflare.worker.subrequest_count + type: long + ignore_missing: true +# Cloudflare Origin Fields +- rename: + field: json.OriginResponseBytes + target_field: cloudflare.origin.response.bytes + ignore_missing: true +- date: + field: json.OriginResponseHTTPExpires + formats: + - EEE, dd MMM yyyy HH:mm:ss z + timezone: UTC + target_field: cloudflare.origin.response.expires + if: ctx?.json?.OriginResponseHTTPExpires != null + ignore_failure: true +- date: + field: json.OriginResponseHTTPLastModified + formats: + - EEE, dd MMM yyyy HH:mm:ss z + timezone: UTC + target_field: cloudflare.origin.response.last_modified + if: ctx?.json?.OriginResponseHTTPLastModified != null + ignore_failure: true +- rename: + field: json.OriginResponseStatus + target_field: cloudflare.origin.response.status_code + ignore_missing: true +- convert: + field: json.OriginResponseTime + target_field: cloudflare.origin.response.time + type: long + ignore_missing: true +- rename: + field: json.OriginSSLProtocol + target_field: cloudflare.origin.ssl.protocol + ignore_missing: true +# Cloudflare RayID Fields +- rename: + field: json.ParentRayID + target_field: cloudflare.parent.ray_id + ignore_missing: true +- rename: + field: json.RayID + target_field: cloudflare.ray_id + ignore_missing: true +# Cloudflare Other Fields +- rename: + field: json.ZoneID + target_field: cloudflare.zone.id + ignore_missing: true +- rename: + field: json.ZoneName + target_field: cloudflare.zone.name + ignore_missing: true +- rename: + field: json.SecurityLevel + target_field: cloudflare.security_level + ignore_missing: true +- rename: + field: json.ClientDeviceType + target_field: cloudflare.device_type + ignore_missing: true +# HTTP Fields +- dissect: + field: json.ClientRequestProtocol + pattern: "%{network.protocol}/%{http.version}" + ignore_failure: true +- set: + field: http.response.bytes + copy_from: cloudflare.edge.response.bytes + ignore_empty_value: true +- set: + field: http.response.body.bytes + copy_from: cloudflare.edge.response.body.bytes + ignore_empty_value: true +- convert: + field: json.ClientRequestBytes + target_field: http.request.bytes + type: long + ignore_missing: true +- rename: + field: json.ClientRequestMethod + target_field: http.request.method + ignore_missing: true +- rename: + field: json.ClientRequestReferer + target_field: http.request.referrer + ignore_missing: true +- set: + field: http.response.status_code + copy_from: cloudflare.edge.response.status_code + ignore_empty_value: true +- set: + field: http.response.status_code + copy_from: cloudflare.origin.response.status_code + ignore_empty_value: true + if: ctx?.http?.response?.status_code == null && ctx?.cloudflare?.origin?.response?.status_code != 0 +# Source Fields +- rename: + field: json.ClientIP + target_field: source.address + ignore_missing: true +- convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- rename: + field: json.ClientCountry + target_field: source.geo.country_iso_code + ignore_missing: true + if: ctx?.source?.geo?.country_iso_code == null +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: json.ClientASN + target_field: source.as.number + ignore_missing: true + if: ctx?.source?.as?.number == null +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- set: + field: source.bytes + copy_from: http.request.bytes + ignore_empty_value: true +- convert: + field: json.ClientSrcPort + target_field: source.port + type: long + ignore_missing: true +# Client Fields +- set: + field: client + copy_from: source +- rename: + field: json.ClientIPClass + target_field: cloudflare.client.ip_class + ignore_missing: true +# Destination Fields +- rename: + field: json.OriginIP + target_field: destination.address + ignore_missing: true +- convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + ignore_failure: true +- set: + field: destination.bytes + copy_from: cloudflare.edge.response.bytes + ignore_empty_value: true +# Server Fields +- set: + field: server + copy_from: destination +- set: + field: event.category + value: network +- set: + field: event.kind + value: event +- append: + field: event.type + value: denied + allow_duplicates: false + if: ctx?.cloudflare?.firewall?.actions.contains('block') +# Network Fields +- lowercase: + field: network.protocol + ignore_missing: true +- set: + field: network.transport + value: tcp + if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http' +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +on_failure: +- set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/fields/agent.yml b/packages/cloudflare/2.2.4/data_stream/logpull/fields/agent.yml new file mode 100755 index 0000000000..4d9a6f7b36 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/fields/agent.yml @@ -0,0 +1,114 @@ +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/fields/base-fields.yml b/packages/cloudflare/2.2.4/data_stream/logpull/fields/base-fields.yml new file mode 100755 index 0000000000..2905a4c5b4 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cloudflare +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cloudflare.logpull +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/fields/beats.yml b/packages/cloudflare/2.2.4/data_stream/logpull/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/fields/ecs.yml b/packages/cloudflare/2.2.4/data_stream/logpull/fields/ecs.yml new file mode 100755 index 0000000000..71f30d5569 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/fields/ecs.yml @@ -0,0 +1,456 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: Port of the client. + name: client.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Port of the request, such as 443. + name: url.port + type: long +- description: Username of the request. + name: url.username + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: String indicating the cipher used during the current connection. + name: tls.cipher + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: Normalized lowercase protocol name parsed from original string. + name: tls.version_protocol + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: HTTP version. + name: http.version + type: keyword +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: City name. + name: observer.geo.city_name + type: keyword +- description: Name of the continent. + name: observer.geo.continent_name + type: keyword +- description: Country ISO code. + name: observer.geo.country_iso_code + type: keyword +- description: Country name. + name: observer.geo.country_name + type: keyword +- description: Region ISO code. + name: observer.geo.region_iso_code + type: keyword +- description: Longitude and latitude. + name: observer.geo.location + type: geo_point +- description: Region name. + name: observer.geo.region_name + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/fields/fields.yml b/packages/cloudflare/2.2.4/data_stream/logpull/fields/fields.yml new file mode 100755 index 0000000000..0712d73ccb --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/fields/fields.yml @@ -0,0 +1,319 @@ +- name: cloudflare + type: group + release: beta + default_field: false + description: > + Fields for Cloudflare Logs + + fields: + - name: cache + type: group + description: > + Fields for Cloudflare Cache + + fields: + - name: status + type: keyword + description: > + Status of cache + + - name: tiered_fill + type: boolean + description: > + Tiered Cache was used to serve this request + + - name: bytes + type: long + description: > + Number of bytes returned by the cache + + - name: status_code + type: long + description: > + HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. + + - name: edge + type: group + description: > + Fields for Cloudflare Edge + + fields: + - name: colo + type: group + description: > + Fields for Cloudflare Edge Colo + + fields: + - name: code + type: keyword + description: > + IATA airport code of data center that received the request + + - name: id + type: long + description: > + Cloudflare edge colo id + + - name: pathing + type: group + description: > + Fields for Cloudflare Edge Pathing + + fields: + - name: op + type: keyword + description: > + Indicates what type of response was issued for this request (unknown = no specific action) + + - name: src + type: keyword + description: > + Details how the request was classified based on security checks (unknown = no specific classification) + + - name: status + type: keyword + description: > + Indicates what data was used to determine the handling of this request (unknown = no data) + + - name: rate_limit + type: group + description: > + Fields for Cloudflare Edge Pathing + + fields: + - name: action + type: keyword + description: > + The action taken by the blocking rule; empty if no action taken + + - name: id + type: long + description: > + The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken. + + - name: request + type: group + description: > + Fields for Cloudflare Edge Request + + fields: + - name: host + type: keyword + description: > + Host header on the request from the edge to the origin + + - name: response + type: group + description: > + Fields for Cloudflare Edge Response + + fields: + - name: compression_ratio + type: long + description: > + Edge response compression ratio + + - name: content_type + type: keyword + description: > + Edge response Content-Type header value + + - name: bytes + type: long + description: > + Number of bytes returned by the edge to the client + + - name: status_code + type: long + description: > + HTTP status code returned by Cloudflare to the client + + - name: firewall + type: group + description: > + Fields for Cloudflare Firewall + + fields: + - name: actions + type: array + description: > + Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. + + - name: sources + type: array + description: > + The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. + + - name: rule_ids + type: array + description: > + Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. + + - name: waf + type: group + description: > + Fields for Cloudflare WAF + + fields: + - name: action + type: keyword + description: > + Action taken by the WAF, if triggered + + - name: flags + type: keyword + description: > + Additional configuration flags: simulate (0x1) | null + + - name: matched_var + type: keyword + description: > + The full name of the most-recently matched variable + + - name: profile + type: keyword + description: > + low | med | high + + - name: rule + type: group + description: > + Fields for Cloudflare WAF Rule + + fields: + - name: id + type: keyword + description: > + ID of the applied WAF rule + + - name: message + type: keyword + description: > + Rule message associated with the triggered rule + + - name: worker + type: group + description: > + Fields for Cloudflare Worker + + fields: + - name: cpu_time + type: long + description: > + Amount of time in microseconds spent executing a worker, if any + + - name: status + type: keyword + description: > + Status returned from worker daemon + + - name: subrequest + type: boolean + description: > + Whether or not this request was a worker subrequest + + - name: subrequest_count + type: long + description: > + Number of subrequests issued by a worker when handling this request + + - name: origin + type: group + description: > + Fields for Cloudflare Origin + + fields: + - name: ssl + type: group + description: > + Fields for Cloudflare Origin SSL + + fields: + - name: protocol + type: keyword + description: > + SSL (TLS) protocol used to connect to the origin + + - name: response + type: group + description: > + Fields for Cloudflare Origin Response + + fields: + - name: time + type: long + description: > + Number of nanoseconds it took the origin to return the response to edge + + - name: status_code + type: long + description: > + Status returned by the origin server + + - name: last_modified + type: date + description: > + Value of the origin 'last-modified' header + + - name: expires + type: date + description: > + Value of the origin 'expires' header + + - name: bytes + type: long + description: > + Number of bytes returned by the origin server + + - name: parent + type: group + description: > + Fields for Cloudflare Parent + + fields: + - name: ray_id + type: keyword + description: > + Ray ID of the parent request if this request was made using a Worker script + + - name: ray_id + type: keyword + description: > + Ray ID of the parent request if this request was made using a Worker script + + - name: security_level + type: keyword + description: > + The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. + + - name: device_type + type: keyword + description: > + Client device type + + - name: zone + type: group + description: > + Fields for Cloudflare Zone + + fields: + - name: id + type: long + description: > + Internal zone ID + + - name: name + type: keyword + description: > + The human-readable name of the zone (e.g. 'cloudflare.com'). + + - name: client.ip_class + type: keyword + description: > + Class of client, ex. badHost | searchEngine | allowlist | greylist.... + + - name: client.ssl.protocol + type: keyword + description: > + Client SSL (TLS) protocol + diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/manifest.yml b/packages/cloudflare/2.2.4/data_stream/logpull/manifest.yml new file mode 100755 index 0000000000..1a3eccd77a --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/manifest.yml @@ -0,0 +1,67 @@ +type: logs +title: Cloudflare Logpull +streams: + - input: httpjson + vars: + - name: auth_email + type: text + title: Auth Email + description: The Auth Email. Needs to be used with an Auth Key. Do not fill if you are using an Auth Token. + multi: false + required: false + show_user: true + - name: auth_key + type: password + title: Auth Key + description: The Auth Key. Needs to be used with an Auth Email. Do not fill if you are using an Auth Token. + multi: false + required: false + show_user: true + - name: auth_token + type: password + title: Auth token + description: The auth token. If set, Auth Email and Auth Key will be ignored. + required: false + multi: false + show_user: true + - name: zone_id + type: text + title: Zone ID + multi: false + required: true + show_user: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + description: Interval at which the logs will be pulled. The value must be between 1s and 1h. + default: 5m + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - forwarded + - cloudflare-logpull + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" + template_path: httpjson.yml.hbs + title: Cloudflare logs + description: Collect Cloudflare logs via the Logpull API diff --git a/packages/cloudflare/2.2.4/data_stream/logpull/sample_event.json b/packages/cloudflare/2.2.4/data_stream/logpull/sample_event.json new file mode 100755 index 0000000000..625c77e088 --- /dev/null +++ b/packages/cloudflare/2.2.4/data_stream/logpull/sample_event.json @@ -0,0 +1,191 @@ +{ + "@timestamp": "2019-08-02T15:29:08.000Z", + "agent": { + "ephemeral_id": "cc5a5e17-4689-49cd-a620-44997d7309a8", + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "client": { + "address": "35.232.161.245", + "as": { + "number": 15169 + }, + "bytes": 2577, + "geo": { + "country_iso_code": "us" + }, + "ip": "35.232.161.245", + "port": 55028 + }, + "cloudflare": { + "cache": { + "status": "unknown", + "tiered_fill": false + }, + "client": { + "ip_class": "noRecord", + "ssl": { + "protocol": "TLSv1.2" + } + }, + "device_type": "desktop", + "edge": { + "colo": { + "id": 14 + }, + "pathing": { + "op": "chl", + "src": "filterBasedFirewall", + "status": "captchaNew" + }, + "rate_limit": { + "id": 0 + }, + "response": { + "bytes": 2848, + "compression_ratio": 2.64, + "content_type": "text/html", + "status_code": 403 + } + }, + "firewall": { + "actions": [ + "simulate", + "challenge" + ], + "rule_ids": [ + "094b71fea25d4860a61fa0c6fbbd8d8b", + "e454fd4a0ce546b3a9a462536613692c" + ], + "sources": [ + "firewallRules", + "firewallRules" + ] + }, + "origin": { + "response": { + "bytes": 0, + "status_code": 0, + "time": 0 + }, + "ssl": { + "protocol": "unknown" + } + }, + "parent": { + "ray_id": "00" + }, + "ray_id": "500115ec386354d8", + "security_level": "med", + "waf": { + "action": "unknown", + "flags": "0", + "profile": "unknown" + }, + "worker": { + "cpu_time": 0, + "status": "unknown", + "subrequest": false, + "subrequest_count": 0 + }, + "zone": { + "id": 155978002 + } + }, + "data_stream": { + "dataset": "cloudflare.logpull", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 2848 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2021-12-30T04:59:20.268Z", + "dataset": "cloudflare.logpull", + "duration": 0, + "end": "2019-08-02T15:29:08.000Z", + "ingested": "2021-12-30T04:59:21Z", + "kind": "event", + "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", + "start": "2019-08-02T15:29:08.000Z" + }, + "http": { + "request": { + "bytes": 2577, + "method": "POST", + "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000" + }, + "response": { + "bytes": 2848, + "status_code": 403 + }, + "version": "1.1" + }, + "input": { + "type": "httpjson" + }, + "network": { + "bytes": 5425, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "cloudflare" + }, + "server": { + "bytes": 2848 + }, + "source": { + "address": "35.232.161.245", + "as": { + "number": 15169 + }, + "bytes": 2577, + "geo": { + "country_iso_code": "us" + }, + "ip": "35.232.161.245", + "port": 55028 + }, + "tags": [ + "forwarded", + "cloudflare-logpull", + "preserve_original_event" + ], + "tls": { + "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "domain": "cf-analytics.com", + "extension": "php", + "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", + "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", + "path": "/wp-cron.php", + "query": "doing_wp_cron=1564759748.3962020874023437500000", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "WordPress", + "original": "WordPress/5.2.2;https://cf-analytics.com", + "version": "5.2.2" + } +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/docs/README.md b/packages/cloudflare/2.2.4/docs/README.md new file mode 100755 index 0000000000..ea6e87a6c1 --- /dev/null +++ b/packages/cloudflare/2.2.4/docs/README.md @@ -0,0 +1,628 @@ +# Cloudflare Integration + +Cloudflare integration uses [Cloudflare's API](https://api.cloudflare.com/) to retrieve [audit logs](https://support.cloudflare.com/hc/en-us/articles/115002833612-Understanding-Cloudflare-Audit-Logs) and [traffic logs](https://developers.cloudflare.com/logs/logpull/understanding-the-basics/) from Cloudflare, for a particular zone, and ingest them into Elasticsearch. This allows you to search, observe and visualize the Cloudflare log events through Elasticsearch. + +Users of [Cloudflare](https://www.cloudflare.com/en-au/learning/what-is-cloudflare/) use Cloudflare services to increase the security and performance of their web sites and services. + +## Configuration + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations** +2. In the "Search for integrations" search bar type **Cloudflare**. +3. Click on "Cloudflare" integration from the search results. +4. Click on **Add Cloudflare** button to add Cloudflare integration. + +### Configure Cloudflare audit logs data stream + +Enter values "Auth Email", "Auth Key" and "Account ID". + +1. **Auth Email** is the email address associated with your account. +2. [**Auth Key**](https://developers.cloudflare.com/api/keys/) is the API key generated on the "My Account" page. +3. **Account ID** can be found on the Cloudflare dashboard. Follow the navigation documentation from [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/). + +NOTE: See for `X-AUTH-EMAIL` and `X-AUTH-KEY` [here](https://api.cloudflare.com/#getting-started-requests) for more information on Auth Email and Auth Key. + +### Configure Cloudflare logs + +These logs contain data related to the connecting client, the request path through the Cloudflare network, and the response from the origin web server. For more information see [here](https://developers.cloudflare.com/logs/logpull/). + +The integration can retrieve Cloudflare logs using - + +1. Auth Email and Auth Key +2. API Token + +More information is available [here](https://developers.cloudflare.com/logs/logpull/requesting-logs/#required-authentication-headers) + +#### Configure using Auth Email and Auth Key + +Enter values "Auth Email", "Auth Key" and "Zone ID". + +1. **Auth Email** is the email address associated with your account. +2. [**Auth Key**](https://developers.cloudflare.com/api/keys/) is the API key generated on the "My Account" page. +3. **Zone ID** can be found [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/). + +> Note: See for `X-AUTH-EMAIL` and `X-AUTH-KEY` [here](https://api.cloudflare.com/#getting-started-requests) for more information on Auth Email and Auth Key. + +#### Configure using API Token + +Enter values "API Token" and "Zone ID". + +For the Cloudflare integration to be able to successfully get logs the following permissions must be granted to the API token - + +- Account.Access: Audit Logs: Read + +1. [**API Tokens**](https://developers.cloudflare.com/api/tokens/) allow for more granular permission settings. +2. **Zone ID** can be found [here](https://developers.cloudflare.com/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/). + +## Logs + +### Audit + +Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account-level actions like login and logout, as well as setting changes to DNS, Crypto, Firewall, Speed, Caching, Page Rules, Network, and Traffic features, etc. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloudflare.audit.actor.type | The type of actor, whether a User, Cloudflare Admin, or an Automated System. Valid values: user, admin, Cloudflare. | keyword | +| cloudflare.audit.metadata | An object which can lend more context to the action being logged. This is a flexible value and varies between different actions. | flattened | +| cloudflare.audit.new_value | The new value of the resource that was modified | flattened | +| cloudflare.audit.old_value | The value of the resource before it was modified | flattened | +| cloudflare.audit.owner.id | User identifier tag | keyword | +| cloudflare.audit.resource.id | An identifier for the resource that was affected by the action | keyword | +| cloudflare.audit.resource.type | A short string that describes the resource that was affected by the action | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2021-11-30T13:42:04.000Z", + "agent": { + "ephemeral_id": "be28c4d0-164a-4115-81b7-ace36fc400f4", + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "cloud": { + "account": { + "id": "aaabbbccc" + }, + "provider": "cloudflare" + }, + "cloudflare": { + "audit": { + "actor": { + "type": "user" + }, + "owner": { + "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" + }, + "resource": { + "id": "enl3j9du8rnx2swwd9l32qots7l54t9s", + "type": "account" + } + } + }, + "data_stream": { + "dataset": "cloudflare.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "rotate_api_key", + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2021-12-30T04:58:37.412Z", + "dataset": "cloudflare.audit", + "id": "8d3396e8-c903-5a66-9421-00fc34570550", + "ingested": "2021-12-30T04:58:38Z", + "kind": "event", + "original": "{\"action\":{\"info\":\"key digest: c6b5d100d7ce492d24c5b13160fce1cc0092ce7e8d8430e9f5cf5468868be6f6\",\"result\":true,\"type\":\"rotate_API_key\"},\"actor\":{\"email\":\"user@example.com\",\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"ip\":\"52.91.36.10\",\"type\":\"user\"},\"id\":\"8d3396e8-c903-5a66-9421-00fc34570550\",\"interface\":\"\",\"metadata\":{},\"newValue\":\"\",\"oldValue\":\"\",\"owner\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\"},\"resource\":{\"id\":\"enl3j9du8rnx2swwd9l32qots7l54t9s\",\"type\":\"account\"},\"when\":\"2021-11-30T13:42:04Z\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "ip": [ + "52.91.36.10" + ], + "user": [ + "enl3j9du8rnx2swwd9l32qots7l54t9s" + ] + }, + "source": { + "address": "52.91.36.10", + "ip": "52.91.36.10" + }, + "tags": [ + "forwarded", + "cloudflare-audit", + "preserve_original_event" + ], + "user": { + "email": "user@example.com", + "id": "enl3j9du8rnx2swwd9l32qots7l54t9s" + } +} +``` + +### Logpull + +These logs contain data related to the connecting client, the request path through the Cloudflare network, and the response from the origin web server. For more information see [here](https://developers.cloudflare.com/logs/logpull/). + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| cloudflare.cache.bytes | Number of bytes returned by the cache | long | +| cloudflare.cache.status | Status of cache | keyword | +| cloudflare.cache.status_code | HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. | long | +| cloudflare.cache.tiered_fill | Tiered Cache was used to serve this request | boolean | +| cloudflare.client.ip_class | Class of client, ex. badHost | searchEngine | allowlist | greylist.... | keyword | +| cloudflare.client.ssl.protocol | Client SSL (TLS) protocol | keyword | +| cloudflare.device_type | Client device type | keyword | +| cloudflare.edge.colo.code | IATA airport code of data center that received the request | keyword | +| cloudflare.edge.colo.id | Cloudflare edge colo id | long | +| cloudflare.edge.pathing.op | Indicates what type of response was issued for this request (unknown = no specific action) | keyword | +| cloudflare.edge.pathing.src | Details how the request was classified based on security checks (unknown = no specific classification) | keyword | +| cloudflare.edge.pathing.status | Indicates what data was used to determine the handling of this request (unknown = no data) | keyword | +| cloudflare.edge.rate_limit.action | The action taken by the blocking rule; empty if no action taken | keyword | +| cloudflare.edge.rate_limit.id | The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken. | long | +| cloudflare.edge.request.host | Host header on the request from the edge to the origin | keyword | +| cloudflare.edge.response.bytes | Number of bytes returned by the edge to the client | long | +| cloudflare.edge.response.compression_ratio | Edge response compression ratio | long | +| cloudflare.edge.response.content_type | Edge response Content-Type header value | keyword | +| cloudflare.edge.response.status_code | HTTP status code returned by Cloudflare to the client | long | +| cloudflare.firewall.actions | Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. | array | +| cloudflare.firewall.rule_ids | Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. | array | +| cloudflare.firewall.sources | The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. | array | +| cloudflare.origin.response.bytes | Number of bytes returned by the origin server | long | +| cloudflare.origin.response.expires | Value of the origin 'expires' header | date | +| cloudflare.origin.response.last_modified | Value of the origin 'last-modified' header | date | +| cloudflare.origin.response.status_code | Status returned by the origin server | long | +| cloudflare.origin.response.time | Number of nanoseconds it took the origin to return the response to edge | long | +| cloudflare.origin.ssl.protocol | SSL (TLS) protocol used to connect to the origin | keyword | +| cloudflare.parent.ray_id | Ray ID of the parent request if this request was made using a Worker script | keyword | +| cloudflare.ray_id | Ray ID of the parent request if this request was made using a Worker script | keyword | +| cloudflare.security_level | The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system. | keyword | +| cloudflare.waf.action | Action taken by the WAF, if triggered | keyword | +| cloudflare.waf.flags | Additional configuration flags: simulate (0x1) | null | keyword | +| cloudflare.waf.matched_var | The full name of the most-recently matched variable | keyword | +| cloudflare.waf.profile | low | med | high | keyword | +| cloudflare.waf.rule.id | ID of the applied WAF rule | keyword | +| cloudflare.waf.rule.message | Rule message associated with the triggered rule | keyword | +| cloudflare.worker.cpu_time | Amount of time in microseconds spent executing a worker, if any | long | +| cloudflare.worker.status | Status returned from worker daemon | keyword | +| cloudflare.worker.subrequest | Whether or not this request was a worker subrequest | boolean | +| cloudflare.worker.subrequest_count | Number of subrequests issued by a worker when handling this request | long | +| cloudflare.zone.id | Internal zone ID | long | +| cloudflare.zone.name | The human-readable name of the zone (e.g. 'cloudflare.com'). | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.bytes | Bytes sent from the server to the client. | long | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.id | Unique identifier of the user. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| tls.cipher | String indicating the cipher used during the current connection. | keyword | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `logpull` looks as following: + +```json +{ + "@timestamp": "2019-08-02T15:29:08.000Z", + "agent": { + "ephemeral_id": "cc5a5e17-4689-49cd-a620-44997d7309a8", + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "client": { + "address": "35.232.161.245", + "as": { + "number": 15169 + }, + "bytes": 2577, + "geo": { + "country_iso_code": "us" + }, + "ip": "35.232.161.245", + "port": 55028 + }, + "cloudflare": { + "cache": { + "status": "unknown", + "tiered_fill": false + }, + "client": { + "ip_class": "noRecord", + "ssl": { + "protocol": "TLSv1.2" + } + }, + "device_type": "desktop", + "edge": { + "colo": { + "id": 14 + }, + "pathing": { + "op": "chl", + "src": "filterBasedFirewall", + "status": "captchaNew" + }, + "rate_limit": { + "id": 0 + }, + "response": { + "bytes": 2848, + "compression_ratio": 2.64, + "content_type": "text/html", + "status_code": 403 + } + }, + "firewall": { + "actions": [ + "simulate", + "challenge" + ], + "rule_ids": [ + "094b71fea25d4860a61fa0c6fbbd8d8b", + "e454fd4a0ce546b3a9a462536613692c" + ], + "sources": [ + "firewallRules", + "firewallRules" + ] + }, + "origin": { + "response": { + "bytes": 0, + "status_code": 0, + "time": 0 + }, + "ssl": { + "protocol": "unknown" + } + }, + "parent": { + "ray_id": "00" + }, + "ray_id": "500115ec386354d8", + "security_level": "med", + "waf": { + "action": "unknown", + "flags": "0", + "profile": "unknown" + }, + "worker": { + "cpu_time": 0, + "status": "unknown", + "subrequest": false, + "subrequest_count": 0 + }, + "zone": { + "id": 155978002 + } + }, + "data_stream": { + "dataset": "cloudflare.logpull", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 2848 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2021-12-30T04:59:20.268Z", + "dataset": "cloudflare.logpull", + "duration": 0, + "end": "2019-08-02T15:29:08.000Z", + "ingested": "2021-12-30T04:59:21Z", + "kind": "event", + "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"35.232.161.245\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}", + "start": "2019-08-02T15:29:08.000Z" + }, + "http": { + "request": { + "bytes": 2577, + "method": "POST", + "referrer": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000" + }, + "response": { + "bytes": 2848, + "status_code": 403 + }, + "version": "1.1" + }, + "input": { + "type": "httpjson" + }, + "network": { + "bytes": 5425, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "cloudflare" + }, + "server": { + "bytes": 2848 + }, + "source": { + "address": "35.232.161.245", + "as": { + "number": 15169 + }, + "bytes": 2577, + "geo": { + "country_iso_code": "us" + }, + "ip": "35.232.161.245", + "port": 55028 + }, + "tags": [ + "forwarded", + "cloudflare-logpull", + "preserve_original_event" + ], + "tls": { + "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", + "version": "1.2", + "version_protocol": "tls" + }, + "url": { + "domain": "cf-analytics.com", + "extension": "php", + "full": "https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", + "original": "/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000", + "path": "/wp-cron.php", + "query": "doing_wp_cron=1564759748.3962020874023437500000", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "WordPress", + "original": "WordPress/5.2.2;https://cf-analytics.com", + "version": "5.2.2" + } +} +``` diff --git a/packages/cloudflare/2.2.4/img/cf-logo-v.svg b/packages/cloudflare/2.2.4/img/cf-logo-v.svg new file mode 100755 index 0000000000..35c7495a8a --- /dev/null +++ b/packages/cloudflare/2.2.4/img/cf-logo-v.svg @@ -0,0 +1,50 @@ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/cloudflare/2.2.4/img/cloudflare-performance.png b/packages/cloudflare/2.2.4/img/cloudflare-performance.png new file mode 100755 index 0000000000..6c703e688d Binary files /dev/null and b/packages/cloudflare/2.2.4/img/cloudflare-performance.png differ diff --git a/packages/cloudflare/2.2.4/img/cloudflare-performance2.png b/packages/cloudflare/2.2.4/img/cloudflare-performance2.png new file mode 100755 index 0000000000..e1b4509987 Binary files /dev/null and b/packages/cloudflare/2.2.4/img/cloudflare-performance2.png differ diff --git a/packages/cloudflare/2.2.4/img/cloudflare-reliability.png b/packages/cloudflare/2.2.4/img/cloudflare-reliability.png new file mode 100755 index 0000000000..b0a4dd4b49 Binary files /dev/null and b/packages/cloudflare/2.2.4/img/cloudflare-reliability.png differ diff --git a/packages/cloudflare/2.2.4/img/cloudflare-security-overview.png b/packages/cloudflare/2.2.4/img/cloudflare-security-overview.png new file mode 100755 index 0000000000..819196d8c5 Binary files /dev/null and b/packages/cloudflare/2.2.4/img/cloudflare-security-overview.png differ diff --git a/packages/cloudflare/2.2.4/img/cloudflare-snapshot.png b/packages/cloudflare/2.2.4/img/cloudflare-snapshot.png new file mode 100755 index 0000000000..60772e5bc3 Binary files /dev/null and b/packages/cloudflare/2.2.4/img/cloudflare-snapshot.png differ diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..cb34d553d1 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "description": "Get a quick overview of the most important metrics from your websites and applications on the Cloudflare network.\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"1\",\"w\":11,\"x\":1,\"y\":26},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":23,\"x\":1,\"y\":31},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"3\",\"w\":18,\"x\":29,\"y\":13},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"4\",\"w\":12,\"x\":12,\"y\":26},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"5\",\"w\":12,\"x\":35,\"y\":26},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":11,\"x\":24,\"y\":26},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":23,\"x\":24,\"y\":31},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":12,\"x\":1,\"y\":38},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":16,\"x\":13,\"y\":38},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"10\",\"w\":18,\"x\":29,\"y\":38},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":10,\"x\":1,\"y\":9},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":13,\"x\":11,\"y\":9},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":11,\"x\":24,\"y\":9},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":12,\"x\":35,\"y\":9},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"16\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"18\",\"w\":46,\"x\":1,\"y\":22},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"19\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"84e94c8e-19d9-4dfe-8e37-c43c004c3f05\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"5f05840e-eb7e-45bd-9319-e6746cc4fa49\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Traffic Countries Map [Cloudflare]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"0f8532d1-8c6a-4c1d-900e-8d6eb49112df\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"lucene\\\",\\\"query\\\":\\\"*\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Traffic Countries Map [Cloudflare]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":9,\"i\":\"bdc0fa59-ea05-4976-983a-70567c1fd2d6\",\"w\":28,\"x\":1,\"y\":13},\"panelIndex\":\"bdc0fa59-ea05-4976-983a-70567c1fd2d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Snapshot", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-095f3a00-23d6-11e9-ba08-c19298cded24", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-08c86890-2323-11e9-ba08-c19298cded24", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-27809b60-2326-11e9-ba08-c19298cded24", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cloudflare-4d637090-2327-11e9-ba08-c19298cded24", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cloudflare-04dda790-2328-11e9-ba08-c19298cded24", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "bdc0fa59-ea05-4976-983a-70567c1fd2d6:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..36a8a139ec --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "Get insights on threats to your websites and applications, including number of threats stopped, threats over time, top threat countries, and more.\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"1\",\"w\":16,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"2\",\"w\":15,\"x\":17,\"y\":9},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"3\",\"w\":15,\"x\":32,\"y\":9},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":31,\"y\":14},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":17,\"x\":30,\"y\":32},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":29,\"x\":1,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"8\",\"w\":46,\"x\":1,\"y\":40},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"9\",\"w\":11,\"x\":20,\"y\":14},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":29,\"x\":1,\"y\":24},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":17,\"x\":30,\"y\":24},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"14\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"15\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"573a3d3e-987d-41b5-a714-2344535c0ca9\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"4d50c3a6-72f9-46f4-bb21-4d54fe1c9842\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Threat Countries Map [Cloudflare]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"25e907ec-31fb-40fe-9a10-49f002b31bf0\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"lucene\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[{\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"},\\\"meta\\\":{\\\"alias\\\":null,\\\"disabled\\\":false,\\\"key\\\":\\\"query\\\",\\\"negate\\\":false,\\\"type\\\":\\\"custom\\\",\\\"value\\\":\\\"{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"should\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"bic\\\\\\\"}}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"hot\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"hot\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ip\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"captchaFail\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"macro\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"jschlFail\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"zl\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"us\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"rateLimit\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"filterBasedFirewall\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"unknown\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"filterBasedFirewall\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"chl\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ctry\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ip\\\\\\\"}}}]}}]}},{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"bool\\\\\\\":{\\\\\\\"adjust_pure_negative\\\\\\\":true,\\\\\\\"boost\\\\\\\":1,\\\\\\\"must\\\\\\\":[{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.src\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"user\\\\\\\"}}},{\\\\\\\"term\\\\\\\":{\\\\\\\"cloudflare.edge.pathing.op\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"value\\\\\\\":\\\\\\\"ban\\\\\\\"}}}]}},{\\\\\\\"terms\\\\\\\":{\\\\\\\"boost\\\\\\\":1,\\\\\\\"cloudflare.edge.pathing.status\\\\\\\":[\\\\\\\"ipr16\\\\\\\",\\\\\\\"ipr24\\\\\\\",\\\\\\\"ip6\\\\\\\",\\\\\\\"ip6r64\\\\\\\",\\\\\\\"ip6r48\\\\\\\",\\\\\\\"ip6r32\\\\\\\"]}}]}}]},\\\\\\\"_source\\\\\\\":{\\\\\\\"excludes\\\\\\\":[],\\\\\\\"includes\\\\\\\":[\\\\\\\"source.geo.region_name\\\\\\\",\\\\\\\"cloudflare.client.ip_class\\\\\\\",\\\\\\\"url.path\\\\\\\",\\\\\\\"cloudflare.client.request.protocol\\\\\\\",\\\\\\\"http.request.referrer\\\\\\\",\\\\\\\"url.full\\\\\\\",\\\\\\\"user_agent.original\\\\\\\",\\\\\\\"cloudflare.client.ssl.cipher\\\\\\\",\\\\\\\"cloudflare.client.ssl.protocol\\\\\\\",\\\\\\\"cloudflare.edge.rate_limit.action\\\\\\\",\\\\\\\"cloudflare.edge.response.content_type\\\\\\\",\\\\\\\"cloudflare.origin.response.http.expires\\\\\\\",\\\\\\\"cloudflare.origin.response.http.last_modified\\\\\\\",\\\\\\\"cloudflare.origin.ssl.protocol\\\\\\\",\\\\\\\"user_agent.os.full\\\\\\\",\\\\\\\"user_agent.name\\\\\\\",\\\\\\\"cloudflare.waf.action\\\\\\\",\\\\\\\"cloudflare.waf.flags\\\\\\\",\\\\\\\"cloudflare.waf.matched_var\\\\\\\",\\\\\\\"cloudflare.waf.profile\\\\\\\",\\\\\\\"cloudflare.waf.rule.id\\\\\\\",\\\\\\\"cloudflare.waf.rule.message\\\\\\\",\\\\\\\"cloudflare.worker.status\\\\\\\",\\\\\\\"message\\\\\\\",\\\\\\\"tags\\\\\\\"]},\\\\\\\"docvalue_fields\\\\\\\":[{\\\\\\\"field\\\\\\\":\\\\\\\"@timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"@version\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.response.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.response.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.cache.tiered.fill\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.as.number\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_iso_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.device_type\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.city_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.continent_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_code2\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_code3\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.country_name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.dma_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"client.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.latitude\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.longitude\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.postal_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.region_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"source.geo.timezone\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.request.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"url.domain\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.request.method\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"client.port\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.colo.id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.end.timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.op\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.src\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.pathing.status\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.rate_limit.id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.request.host\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"destination.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.edge.response.compression_ratio\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.response.status_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"observer.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"@timestamp\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"epoch_millis\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"destination.ip\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"http.response.bytes\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.origin.response.status_code\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.origin.response.time\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.parent.ray_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.ray_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.security_level\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.build\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.device\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.major\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.minor\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.name\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.os_major\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.os_minor\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"user_agent.patch\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.cpu_time\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.subrequest\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.worker.subrequest_count\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"},{\\\\\\\"field\\\\\\\":\\\\\\\"cloudflare.zone_id\\\\\\\",\\\\\\\"format\\\\\\\":\\\\\\\"use_field_mapping\\\\\\\"}],\\\\\\\"size\\\\\\\":50,\\\\\\\"sort\\\\\\\":[{\\\\\\\"_doc\\\\\\\":{\\\\\\\"order\\\\\\\":\\\\\\\"asc\\\\\\\"}}]}\\\",\\\"index\\\":\\\"logs-*\\\"},\\\"query\\\":{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"should\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"bic\\\"}}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"hot\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"hot\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ip\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"captchaFail\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"macro\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"jschlFail\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"zl\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"us\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"rateLimit\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"filterBasedFirewall\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"unknown\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"filterBasedFirewall\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"chl\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ctry\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.status\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ip\\\"}}}]}}]}},{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"bool\\\":{\\\"adjust_pure_negative\\\":true,\\\"boost\\\":1,\\\"must\\\":[{\\\"term\\\":{\\\"cloudflare.edge.pathing.src\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"user\\\"}}},{\\\"term\\\":{\\\"cloudflare.edge.pathing.op\\\":{\\\"boost\\\":1,\\\"value\\\":\\\"ban\\\"}}}]}},{\\\"terms\\\":{\\\"boost\\\":1,\\\"cloudflare.edge.pathing.status\\\":[\\\"ipr16\\\",\\\"ipr24\\\",\\\"ip6\\\",\\\"ip6r64\\\",\\\"ip6r48\\\",\\\"ip6r32\\\"]}}]}}]},\\\"_source\\\":{\\\"excludes\\\":[],\\\"includes\\\":[\\\"source.geo.region_name\\\",\\\"cloudflare.client.ip_class\\\",\\\"url.path\\\",\\\"cloudflare.client.request.protocol\\\",\\\"http.request.referrer\\\",\\\"url.full\\\",\\\"user_agent.original\\\",\\\"cloudflare.client.ssl.cipher\\\",\\\"cloudflare.client.ssl.protocol\\\",\\\"cloudflare.edge.rate_limit.action\\\",\\\"cloudflare.edge.response.content_type\\\",\\\"cloudflare.origin.response.http.expires\\\",\\\"cloudflare.origin.response.http.last_modified\\\",\\\"cloudflare.origin.ssl.protocol\\\",\\\"user_agent.os.full\\\",\\\"user_agent.name\\\",\\\"cloudflare.waf.action\\\",\\\"cloudflare.waf.flags\\\",\\\"cloudflare.waf.matched_var\\\",\\\"cloudflare.waf.profile\\\",\\\"cloudflare.waf.rule.id\\\",\\\"cloudflare.waf.rule.message\\\",\\\"cloudflare.worker.status\\\",\\\"message\\\",\\\"tags\\\"]},\\\"docvalue_fields\\\":[{\\\"field\\\":\\\"@timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"@version\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.response.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.response.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.cache.tiered.fill\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.as.number\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_iso_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.device_type\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.city_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.continent_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_code2\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_code3\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.country_name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.dma_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"client.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.latitude\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.longitude\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.postal_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.region_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"source.geo.timezone\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.request.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"url.domain\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.request.method\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"client.port\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.colo.id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.end.timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.op\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.src\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.pathing.status\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.rate_limit.id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.request.host\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"destination.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.edge.response.compression_ratio\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.response.status_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"observer.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"@timestamp\\\",\\\"format\\\":\\\"epoch_millis\\\"},{\\\"field\\\":\\\"destination.ip\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"http.response.bytes\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.origin.response.status_code\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.origin.response.time\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.parent.ray_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.ray_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.security_level\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.build\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.device\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.major\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.minor\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.name\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.os_major\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.os_minor\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"user_agent.patch\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.cpu_time\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.subrequest\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.worker.subrequest_count\\\",\\\"format\\\":\\\"use_field_mapping\\\"},{\\\"field\\\":\\\"cloudflare.zone_id\\\",\\\"format\\\":\\\"use_field_mapping\\\"}],\\\"size\\\":50,\\\"sort\\\":[{\\\"_doc\\\":{\\\"order\\\":\\\"asc\\\"}}]}}],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Threat Countries Map [Cloudflare]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":10,\"i\":\"240814e0-fc79-4c27-af94-fa9df006d441\",\"w\":19,\"x\":1,\"y\":14},\"panelIndex\":\"240814e0-fc79-4c27-af94-fa9df006d441\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Security (Overview)", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-532a64c0-293a-11e9-b959-4502c43b2e30", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "240814e0-fc79-4c27-af94-fa9df006d441:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..548a6b2545 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "Get insights into your most popular hostnames, most requested content types, breakdown of request methods, and connection type.\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":21},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":46,\"x\":1,\"y\":33},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":44},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"6\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"8\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type)", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-5a5d6b80-49b9-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f", + "name": "8:panel_8", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..ad53a143a9 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "description": "Identify and address performance issues and caching misconfigurations. Metrics include total vs. cached bandwidth, saved bandwidth, total requests, cache ratio, top uncached requests, and more.\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":10,\"x\":1,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"2\",\"w\":13,\"x\":11,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"3\",\"w\":13,\"x\":24,\"y\":12},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":14,\"x\":1,\"y\":28},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":14,\"x\":15,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":18,\"x\":29,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"7\",\"w\":25,\"x\":1,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":21,\"x\":26,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"9\",\"w\":21,\"x\":26,\"y\":50},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"12\",\"w\":24,\"x\":1,\"y\":16},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"13\",\"w\":22,\"x\":25,\"y\":16},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"14\",\"w\":25,\"x\":1,\"y\":32},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"15\",\"w\":21,\"x\":26,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"16\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"17\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"18\",\"w\":46,\"x\":1,\"y\":25},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"19\",\"w\":46,\"x\":1,\"y\":41},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"20\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Performance (Requests, Bandwidth, Cache)", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-8d730ba0-3aa6-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f", + "name": "21:panel_21", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..1799a88fd7 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "Get insights on the availability of your websites and applications. Metrics include origin response error ratio, origin response status over time, percentage of 3xx/4xx/5xx errors over time, and more.\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":34,\"x\":1,\"y\":18},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":34,\"x\":1,\"y\":26},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"3\",\"w\":15,\"x\":31,\"y\":9},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"4\",\"w\":17,\"x\":29,\"y\":37},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"6\",\"w\":28,\"x\":1,\"y\":37},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"7\",\"w\":28,\"x\":1,\"y\":46},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"8\",\"w\":17,\"x\":29,\"y\":46},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":11,\"x\":35,\"y\":26},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":11,\"x\":35,\"y\":18},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"11\",\"w\":30,\"x\":1,\"y\":9},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"12\",\"w\":45,\"x\":1,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"13\",\"w\":38,\"x\":8,\"y\":0},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"14\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":3,\"i\":\"15\",\"w\":45,\"x\":1,\"y\":34},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Reliability", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-9c4c3100-39df-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f", + "name": "15:panel_15", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..a9662ea58c --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "Get insights into the performance of your static and dynamic content, including slowest URLs.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":46,\"x\":1,\"y\":19},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"4\",\"w\":46,\"x\":1,\"y\":42},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Performance (Static vs. Dynamic Content)", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-a35b4880-49a9-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "7:panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..729b9536a3 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-b221c710-2963-11e9-b959-4502c43b2e30.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "description": "Get insights on rate limiting protection against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeted at your websites or applications.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":9},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"2\",\"w\":23,\"x\":1,\"y\":16},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":46,\"x\":1,\"y\":25},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"4\",\"w\":23,\"x\":24,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"6\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Security (Rate Limiting)", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-b221c710-2963-11e9-b959-4502c43b2e30", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-fe404730-2962-11e9-b959-4502c43b2e30", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "7:panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..2c678190bc --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/dashboard/cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "Get insights on threat identification and mitigation by our Web Application Firewall, including events like SQL injections, XSS, and more. Use this data to fine tune the firewall to target obvious threats and prevent false positives.\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"1\",\"w\":46,\"x\":1,\"y\":34},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"2\",\"w\":29,\"x\":18,\"y\":23},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":17,\"x\":1,\"y\":23},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"4\",\"w\":18,\"x\":29,\"y\":9},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"5\",\"w\":11,\"x\":18,\"y\":9},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"6\",\"w\":8,\"x\":10,\"y\":9},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":46,\"x\":1,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":9,\"x\":1,\"y\":9},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"9\",\"w\":7,\"x\":1,\"y\":0},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"10\",\"w\":39,\"x\":8,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"11\",\"w\":46,\"x\":1,\"y\":4},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "Cloudflare - Security (WAF)", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-ded7e2c0-2955-11e9-b959-4502c43b2e30", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "name": "11:panel_11", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json b/packages/cloudflare/2.2.4/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json new file mode 100755 index 0000000000..0e79f4e006 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/search/cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "columns": [], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"cloudflare.logpull\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.logpull\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [], + "title": "Discover [Cloudflare]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..6deef7fada --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-04dda790-2328-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Traffic IPs [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic IPs\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-04dda790-2328-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..89833b34a5 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Countries - Reliability [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Countries - Reliability\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-085f1f60-39e0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..51c24c2d0e --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-08c86890-2323-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Traffic Type [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.device_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Traffic Type\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-08c86890-2323-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json new file mode 100755 index 0000000000..09f8427894 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Threat Client IPs [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Client IPs\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-0ca03f10-338b-11e9-ab62-2d2dc754fa8f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..0476c0cc63 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Total Requests vs. Origin Requests in rps last 24 hours [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.origin.response.status_code:\\u003e0\"},\"formatter\":\"number\",\"id\":\"fca6dbb0-4991-11e9-b6ee-0784825b4ddc\",\"label\":\"origin requests\",\"line_width\":1,\"metrics\":[{\"id\":\"fca6dbb1-4991-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total Requests vs. Origin Requests in rps last 24 hours\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-12308c30-499f-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..8632157d21 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top WAF Rules Triggered [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.waf.rule.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.waf.rule.message\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top WAF Rules Triggered\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-123b95b0-2953-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..320a2be360 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Cache Status Ratio [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.cache.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Cache Status Ratio\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-14b05280-3aa7-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..aa891dd0e0 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Client Requests by Hostname Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Hostname Over Time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-15b60010-49b8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..4c32681062 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Origin Requests By Hostname - Content Type - Request Methods - Connection Type - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Origin Requests By Hostname - Content Type - Request Methods - Connection Type**\",\"openLinksInNewTab\":false},\"title\":\"Origin Requests By Hostname - Content Type - Request Methods - Connection Type - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-18490820-5bad-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..80c716cb4f --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Hostnames - Reliability [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Hostnames - Reliability\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-18e2eaa0-39e1-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..bb6bae84f4 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Referrer [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.request.referrer\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Referrer\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-1bd60ba0-2327-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..89ecd8bd19 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "WAF Events Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"WAF Events Over Time\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-23b58b50-2955-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..4c8bfdee9d --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Threats Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Threats Over Time\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-24815750-39de-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..88e454e5d7 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Slowest URIs by cumulative time to first byte for dynamic requests [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"average_response_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"wait_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[99,99.9]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Slowest URIs by cumulative time to first byte for dynamic requests\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-2523f5e0-49b6-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..6c74a813b4 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-27809b60-2326-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "HTTP Protocols [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"HTTP Protocols\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-27809b60-2326-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..68286ce235 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "WAF Events triggered by the Web Application Firewall - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**WAF - Events triggered by the Web Application Firewall**\",\"openLinksInNewTab\":false},\"title\":\"WAF Events triggered by the Web Application Firewall - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-2820f540-5ba9-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..1b27233b9e --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top User Agents [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top User Agents\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-2962b6f0-2328-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..636f5f2e54 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\",\"revalidated\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored, revalidated\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"revalidated\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Cached Bandwidth [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cached Bandwidth\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Cached Bandwidth\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-2a7aaf40-232b-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..42cd820659 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Total number of requests vs cached vs uncached over time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total requests\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"filter\":{\"language\":\"lucene\",\"query\":\"metricset.name:cloudflare.cache.status\"},\"id\":\"e847cce0-4731-11e9-b6ee-0784825b4ddc\",\"label\":\"cached requests\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"cloudflare.cache.status\",\"terms_order_by\":\"_term\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.cache.status:(hit OR stale OR updating OR ignored)\"},\"formatter\":\"number\",\"id\":\"0d45cce0-498f-11e9-b6ee-0784825b4ddc\",\"label\":\"cached requests\",\"line_width\":1,\"metrics\":[{\"id\":\"0d45cce1-498f-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"#68BC00\",\"id\":\"14053f70-498f-11e9-b6ee-0784825b4ddc\"}],\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"data_stream.dataset : \\\"cloudflare.log\\\" AND cloudflare.cache.status:(-hit OR -stale OR -updating OR -ignored)\"},\"formatter\":\"number\",\"id\":\"3edf18b0-498f-11e9-b6ee-0784825b4ddc\",\"label\":\"uncached requests\",\"line_width\":1,\"metrics\":[{\"id\":\"3edf18b1-498f-11e9-b6ee-0784825b4ddc\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total number of requests vs cached vs uncached over time\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-3091d520-4991-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..b7bd165e0f --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Bandwidth - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Bandwidth**\",\"openLinksInNewTab\":false},\"title\":\"Bandwidth - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-30f664a0-5bab-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..4b321c4b8f --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Web Traffic Overview - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Web Traffic Overview**\",\"openLinksInNewTab\":false},\"title\":\"Web Traffic Overview - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-31863f00-5b9f-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..019a1d489a --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Total Bandwidth vs Origin Bandwidth in Mbps last 24 hours - 7.x [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"c520c1a0-1c6e-11ea-9387-9362a5ae410a\"}],\"bar_color_rules\":[{\"id\":\"c6258770-1c6e-11ea-9387-9362a5ae410a\"}],\"drop_last_bucket\":1,\"gauge_color_rules\":[{\"id\":\"c7b83560-1c6e-11ea-9387-9362a5ae410a\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(104,204,202,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"total bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(253,161,255,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.origin.response.status_code:\\u003e0\"},\"formatter\":\"bytes\",\"id\":\"65f93df0-49a7-11e9-a870-03d340338f04\",\"label\":\"origin bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"65f93df1-49a7-11e9-a870-03d340338f04\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Total Bandwidth vs Origin Bandwidth in Mbps last 24 hours - 7.x\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-3486e5a0-49a8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..84c8378342 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":{\"query\":\"miss\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"miss\"},\"query\":{\"match\":{\"cloudflare.cache.status\":{\"query\":\"miss\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top URIs with Cache Status Miss [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top URIs with Cache Status Miss\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-34fce850-3aa7-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..8fa929434e --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Rate Limiting Get insights into rate limiting events and banned IPs and URIs - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Rate Limiting - Get insights into rate limiting events and banned IPs and URIs**\",\"openLinksInNewTab\":false},\"title\":\"Rate Limiting Get insights into rate limiting events and banned IPs and URIs - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-39ffbca0-5baa-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..c441021b2c --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":{\"query\":\"ban\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ban\"},\"query\":{\"match\":{\"cloudflare.edge.rate_limit.action\":{\"query\":\"ban\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Banned Client IPs [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Banned Client IPs\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-3ef426c0-2963-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..12376966f2 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-44f03e10-2328-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Total Number of Requests [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Number of Requests\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-44f03e10-2328-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..c4c92004a3 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Cache - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Cache**\",\"openLinksInNewTab\":false},\"title\":\"Cache - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-463abaa0-5bab-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..0f0494d481 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Request Methods [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.request.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Request Methods\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-46d7d4b0-2326-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..b0d17a8289 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Web Traffic Types - Text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Web Traffic Types -\\nGet insight into the various types of traffic and content**\",\"openLinksInNewTab\":false},\"title\":\"Web Traffic Types - Text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-4a184a50-5ba8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..78b0147220 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "WAF: Top User Agents [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.waf.rule.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top User Agents\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-4c0a0420-2953-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..6bc87a03e7 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4d637090-2327-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Traffic Type [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.client.ip_class\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic Type\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-4d637090-2327-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..11c85327a6 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Edge Response Status Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Edge Response Status Over Time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-4dd166d0-39df-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..8c0b7176a6 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Static vs Dynamic Content - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Static vs Dynamic Content**\",\"openLinksInNewTab\":false},\"title\":\"Static vs Dynamic Content - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-58498820-5bab-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..a09615ee11 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Client IPs and AS Number - Reliability [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.as.number\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Client IPs and AS Number - Reliability\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-619d5830-39e0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..eab3fb830d --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "WAF: Top Hosts [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top Hosts\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-70880ea0-2953-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..402ce71cd6 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"http.version\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.os.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Threat Target URIs [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Target URIs\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-7a021b50-39d0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..f23dcd94eb --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Summary of Edge and Origin Response Status - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Summary of Edge and Origin Response Status**\\n\\nGet an overview of the edge and origin response status codes\",\"openLinksInNewTab\":false},\"title\":\"Summary of Edge and Origin Response Status - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-7a7515f0-5b91-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..031607d1a9 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Origin Response Status Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.origin.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Origin Response Status Over Time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-7ded6170-39df-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..75d9c75ae0 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"challenge\",\"jsChallenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, challenge, jsChallenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Rate Limit Over Time [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-6M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2.5,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Rate Limit Over Time\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-87c0c0f0-295b-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..60020f5987 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-88d54e70-232a-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Total Bandwidth [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bandwidth\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Bandwidth\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-88d54e70-232a-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json new file mode 100755 index 0000000000..1ff7620257 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Threats Stopped [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Threats Stopped\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-88e4a4e0-338a-11e9-ab62-2d2dc754fa8f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..c196e260d5 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "WAF: Top Client IP [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"WAF: Top Client IP\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-8b2c78d0-2954-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..6623eff5a1 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Origin time to first byte dynamic requests [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-60d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of cloudflare.origin.response.time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of OriginResponseTime\"},\"type\":\"value\"}]},\"title\":\"Origin time to first byte dynamic requests\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-8bd59600-3aab-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..44ea4ceac6 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Performance Overview - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Performance Overview**\",\"openLinksInNewTab\":false},\"title\":\"Performance Overview - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-9443bac0-5bac-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..9ce4f8c854 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Threats - Review threat activity - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Threats - Review threat activity**\",\"openLinksInNewTab\":false},\"title\":\"Threats - Review threat activity - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-97868680-5ba8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..f45e0e3b4d --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Content Type [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.response.content_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Content Type\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-97ff6f60-2326-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..0f8ba8c4b6 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Cloudflare logo [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"![alt text](https://www.cloudflare.com/img/logo-cloudflare-dark.svg)\",\"openLinksInNewTab\":false},\"title\":\"Cloudflare logo\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-97ffb020-5b92-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..3482fa40cd --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"jsChallenge\",\"challenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, jsChallenge, challenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Rate Limit Actions [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Rate Limit Actions\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-9a285cd0-295b-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..81eb744f48 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Origin Response Error Ratio [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.origin.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Origin Response Error Ratio\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-9a9d1910-39ed-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..6b0d9664bf --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Client Requests by Content Type [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.response.content_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Content Type\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-9bb4fa90-49b8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..09fb8f7e8b --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\",\"revalidated\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored, revalidated\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"revalidated\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Uncached Bandwidth [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Uncached Bandwidth\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-9c3821d0-3aa5-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..6270faa803 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Threat Countries [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat Countries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-ae0c98c0-39d1-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..dd54f85a2e --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":false,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Cached Requests [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Cached Requests\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-afb4a590-3aa4-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..1ffedbbec6 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "WAF: Top Countries [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"WAF: Top Countries\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-b7d29880-2952-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..d5e3635479 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Client Requests Methods Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.request.method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests Methods Over Time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-b937c200-49b8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..bb76962042 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Errors Ratio (Edge) [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(0,104,55)\",\"50 - 75\":\"rgb(255,255,190)\",\"75 - 100\":\"rgb(165,0,38)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"alignment\":\"horizontal\",\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"\",\"width\":0.9},\"type\":\"meter\"},\"isDisplayWarning\":false,\"type\":\"gauge\"},\"title\":\"Errors Ratio (Edge)\",\"type\":\"gauge\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-ba09b9b0-39ee-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..ad111537be --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Detailed View Breakdown of Origin Response Status Codes by Various Metrics - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":14,\"markdown\":\"Detailed View\\nBreakdown of Origin Response Status Codes by Various Metrics\",\"openLinksInNewTab\":false},\"title\":\"Detailed View Breakdown of Origin Response Status Codes by Various Metrics - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-ba3b0120-5b93-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..be29b07593 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Threat User Agents [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threat User Agents\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-bf9032b0-39d0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..b4b6d0cd3c --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Requested URI - Reliability [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Requested URI - Reliability\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-c08a2fd0-39e0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..fa9b2d83bc --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Traffic Countries [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Traffic Countries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-c883c8c0-2326-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..178761e45b --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"cloudflare.log*\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.log*\"}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Requests - text [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"fontSize\":16,\"markdown\":\"**Requests**\",\"openLinksInNewTab\":false},\"title\":\"Requests - text\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-d2ceb1c0-5baa-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..f2f503bfed --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Cached vs Uncached Bandwidth Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.cache.status:(hit OR stale OR updating OR ignored OR revalidated)\"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"saved bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"cloudflare.cache.status:(-hit OR -stale OR -updating OR -ignored OR -revalidated)\"},\"formatter\":\"bytes\",\"id\":\"73f43510-49a0-11e9-8499-d5aa4562b1c7\",\"label\":\"uncached bandwidth\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"73f43511-49a0-11e9-8499-d5aa4562b1c7\",\"type\":\"sum\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Cached vs Uncached Bandwidth Over Time\",\"type\":\"metrics\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-d4b02760-49a0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..a4b15ea573 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Edge Response Error Ratio [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"Edge Response Error Ratio\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-d53f1d70-39e8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..81b9a6af94 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"bypass\",\"unknown\"],\"type\":\"phrases\",\"value\":\"bypass, unknown\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Origin time to first byte static requests [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-60d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of cloudflare.origin.response.time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":1.5,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of OriginResponseTime\"},\"type\":\"value\"}]},\"title\":\"Origin time to first byte static requests\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-d6fd64a0-3aab-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..9ddf576777 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"_source\":{\"excludes\":[],\"includes\":[\"source.geo.region_name\",\"cloudflare.client.ip_class\",\"url.path\",\"cloudflare.client.request.protocol\",\"http.request.referrer\",\"url.full\",\"user_agent.original\",\"cloudflare.client.ssl.cipher\",\"cloudflare.client.ssl.protocol\",\"cloudflare.edge.rate_limit.action\",\"cloudflare.edge.response.content_type\",\"cloudflare.origin.response.http.expires\",\"cloudflare.origin.response.http.last_modified\",\"cloudflare.origin.ssl.protocol\",\"user_agent.os.full\",\"user_agent.name\",\"cloudflare.waf.action\",\"cloudflare.waf.flags\",\"cloudflare.waf.matched_var\",\"cloudflare.waf.profile\",\"cloudflare.waf.rule.id\",\"cloudflare.waf.rule.message\",\"cloudflare.worker.status\",\"message\",\"tags\"]},\"docvalue_fields\":[{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"@version\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.response.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.cache.tiered.fill\",\"format\":\"use_field_mapping\"},{\"field\":\"source.as.number\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_iso_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.device_type\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.city_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.continent_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code2\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_code3\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.country_name\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.dma_code\",\"format\":\"use_field_mapping\"},{\"field\":\"client.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.latitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.longitude\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.postal_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.region_code\",\"format\":\"use_field_mapping\"},{\"field\":\"source.geo.timezone\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"url.domain\",\"format\":\"use_field_mapping\"},{\"field\":\"http.request.method\",\"format\":\"use_field_mapping\"},{\"field\":\"client.port\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.colo.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.end.timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"cloudflare.edge.pathing.op\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.src\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.pathing.status\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.rate_limit.id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.request.host\",\"format\":\"use_field_mapping\"},{\"field\":\"destination.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.edge.response.compression_ratio\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"observer.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"@timestamp\",\"format\":\"epoch_millis\"},{\"field\":\"destination.ip\",\"format\":\"use_field_mapping\"},{\"field\":\"http.response.bytes\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.status_code\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.origin.response.time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.parent.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.ray_id\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.security_level\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.build\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.device\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.name\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_major\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.os_minor\",\"format\":\"use_field_mapping\"},{\"field\":\"user_agent.patch\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.cpu_time\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.worker.subrequest_count\",\"format\":\"use_field_mapping\"},{\"field\":\"cloudflare.zone_id\",\"format\":\"use_field_mapping\"}],\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"size\",\"negate\":false,\"type\":\"custom\",\"value\":\"50\"},\"query\":{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"should\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"bic\"}}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"hot\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"captchaFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"macro\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"jschlFail\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"zl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"us\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"rateLimit\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"unknown\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"filterBasedFirewall\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"chl\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ctry\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"term\":{\"cloudflare.edge.pathing.status\":{\"boost\":1,\"value\":\"ip\"}}}]}}]}},{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"bool\":{\"adjust_pure_negative\":true,\"boost\":1,\"must\":[{\"term\":{\"cloudflare.edge.pathing.src\":{\"boost\":1,\"value\":\"user\"}}},{\"term\":{\"cloudflare.edge.pathing.op\":{\"boost\":1,\"value\":\"ban\"}}}]}},{\"terms\":{\"boost\":1,\"cloudflare.edge.pathing.status\":[\"ipr16\",\"ipr24\",\"ip6\",\"ip6r64\",\"ip6r48\",\"ip6r32\"]}}]}}]}},\"size\":50,\"sort\":[{\"_doc\":{\"order\":\"asc\"}}]}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Threats Stopped [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Threats Stopped\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-d9890140-3a9a-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..6f9780ad23 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"hit\",\"stale\",\"updating\",\"ignored\"],\"type\":\"phrases\",\"value\":\"hit, stale, updating, ignored\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"hit\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"stale\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"updating\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"ignored\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Uncached Requests [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Uncached Requests\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-df169f00-3aa4-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..3c3bda44c7 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top User Agents - Reliability [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top User Agents - Reliability\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-ec96e3c0-39e0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..ad0501c78f --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Client Requests by Connection Over Time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-24h\",\"mode\":\"quick\",\"to\":\"now\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.client.ssl.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Client Requests by Connection Over Time\",\"type\":\"area\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-f109c430-49b8-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..c68f5ba629 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"cloudflare.logpull\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"cloudflare.logpull\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "title": "Filters [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"cloudflare.device_type\",\"id\":\"1554899945457\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Device Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"source.geo.country_name\",\"id\":\"1554900041526\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"url.domain\",\"id\":\"1554900064098\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Hostname\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"client.ip\",\"id\":\"1554900102344\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user_agent.original\",\"id\":\"1554900136614\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"User Agent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"url.full\",\"id\":\"1554900159944\",\"indexPatternRefName\":\"control_5_index_pattern\",\"label\":\"Request URI\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"http.response.status_code\",\"id\":\"1554900185676\",\"indexPatternRefName\":\"control_6_index_pattern\",\"label\":\"Edge Response Status\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.origin.response.status_code\",\"id\":\"1554900211881\",\"indexPatternRefName\":\"control_7_index_pattern\",\"label\":\"Origin Response Status\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"destination.ip\",\"id\":\"1556549231725\",\"indexPatternRefName\":\"control_8_index_pattern\",\"label\":\"Origin IP\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.ray_id\",\"id\":\"1554900244300\",\"indexPatternRefName\":\"control_9_index_pattern\",\"label\":\"RayID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloudflare.worker.subrequest\",\"id\":\"1554900268999\",\"indexPatternRefName\":\"control_10_index_pattern\",\"label\":\"Worker Subrequest\",\"options\":{\"dynamicOptions\":false,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"http.request.method\",\"id\":\"1554900324235\",\"indexPatternRefName\":\"control_11_index_pattern\",\"label\":\"Client Request Method\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":true,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"Filters\",\"type\":\"input_control_vis\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-f6a08770-5b8e-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_3_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_4_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_5_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_6_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_7_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_8_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_9_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_10_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "control_11_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..6d5358e3a1 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Cache status over time [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.cache.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Cache status over time\",\"type\":\"line\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-f982c5b0-3aa6-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json new file mode 100755 index 0000000000..38b0a34b1f --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Requested URI [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Requested URI\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-fbfdbb70-2326-11e9-ba08-c19298cded24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..500e479c4b --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.cache.status\",\"negate\":true,\"params\":[\"unknown\",\"bypass\"],\"type\":\"phrases\",\"value\":\"unknown, bypass\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.cache.status\":\"unknown\"}},{\"match_phrase\":{\"cloudflare.cache.status\":\"bypass\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Slowest URIs by cumulative time to first byte for static requests [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"average_response_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"wait_time\",\"field\":\"cloudflare.origin.response.time\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"cloudflare.origin.response.time\",\"percents\":[99,99.9]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Slowest URIs by cumulative time to first byte for static requests\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-fc4f9420-49b6-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..69432d0f5d --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.waf.action\",\"negate\":true,\"params\":{\"query\":\"unknown\"},\"type\":\"phrase\",\"value\":\"unknown\"},\"query\":{\"match\":{\"cloudflare.waf.action\":{\"query\":\"unknown\",\"type\":\"phrase\"}}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "WAF Events Triggered [Cloudflare]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":30,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"WAF Events Triggered\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-fc9df390-293b-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json new file mode 100755 index 0000000000..adeade4e0f --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-fe404730-2962-11e9-b959-4502c43b2e30.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cloudflare.edge.rate_limit.action\",\"negate\":false,\"params\":[\"ban\",\"simulate\",\"jsChallenge\",\"challenge\"],\"type\":\"phrases\",\"value\":\"ban, simulate, jsChallenge, challenge\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"ban\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"simulate\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"jsChallenge\"}},{\"match_phrase\":{\"cloudflare.edge.rate_limit.action\":\"challenge\"}}]}}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Rate Limit Countries [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.rate_limit.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"url.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Rate Limit Countries\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-fe404730-2962-11e9-b959-4502c43b2e30", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json new file mode 100755 index 0000000000..04e881cbe5 --- /dev/null +++ b/packages/cloudflare/2.2.4/kibana/visualization/cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}" + }, + "savedSearchRefName": "search_0", + "title": "Top Pathing Statuses [Cloudflare]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cloudflare.edge.pathing.src\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cloudflare.edge.pathing.op\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"cloudflare.edge.pathing.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Top Pathing Statuses\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "cloudflare-ff3ba2f0-39d0-11e9-bd1f-75f359ac0c3f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "cloudflare-a046cd07-96af-4518-a0c0-aea826e9ffc3", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cloudflare/2.2.4/manifest.yml b/packages/cloudflare/2.2.4/manifest.yml new file mode 100755 index 0000000000..cce82a0485 --- /dev/null +++ b/packages/cloudflare/2.2.4/manifest.yml @@ -0,0 +1,76 @@ +name: cloudflare +title: Cloudflare +version: 2.2.4 +release: ga +description: Collect logs from Cloudflare with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security, network, web, cloud] +conditions: + kibana.version: ^8.0.0 +icons: + - src: /img/cf-logo-v.svg + title: Cloudflare + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/cloudflare-snapshot.png + title: Cloudflare - Snapshot + size: 1847x950 + type: image/png + - src: /img/cloudflare-reliability.png + title: Cloudflare - Reliability + size: 1850x948 + type: image/png + - src: /img/cloudflare-security-overview.png + title: Cloudflare - Security + size: 1848x949 + type: image/png + - src: /img/cloudflare-performance.png + title: Cloudflare - Performance (Requests, Bandwidth, Cache) + size: 1847x949 + type: image/png + - src: /img/cloudflare-performance2.png + title: Cloudflare - Performance (Hostname, Content Type, Request Methods, Connection Type) + size: 1847x950 + type: image/png +policy_templates: + - name: cloudflare + title: Cloudflare logs + description: Collect logs from Cloudflare + inputs: + - type: httpjson + title: "Collect Cloudflare logs via API" + description: "Collecting logs from Cloudflare via API" + vars: + - name: api_url + type: text + title: API URL. + description: The API URL without the path. + multi: false + required: true + show_user: false + default: https://api.cloudflare.com + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: true + default: 60s +owner: + github: elastic/security-external-integrations diff --git a/packages/cyberark_pta/0.1.2/LICENSE.txt b/packages/cyberark_pta/0.1.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cyberark_pta/0.1.2/changelog.yml b/packages/cyberark_pta/0.1.2/changelog.yml new file mode 100755 index 0000000000..aa8c14cef7 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/changelog.yml @@ -0,0 +1,16 @@ +# newer versions go on top +- version: "0.1.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4401 +- version: "0.1.1" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "0.1.0" + changes: + - description: initial beta release + type: enhancement + link: https://github.com/elastic/integrations/pull/3908 diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/agent/stream/tcp.yml.hbs b/packages/cyberark_pta/0.1.2/data_stream/events/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..6a3725e901 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/agent/stream/tcp.yml.hbs @@ -0,0 +1,28 @@ +tcp: +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/agent/stream/udp.yml.hbs b/packages/cyberark_pta/0.1.2/data_stream/events/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..c31bfc1329 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/agent/stream/udp.yml.hbs @@ -0,0 +1,22 @@ +udp: +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cyberark_pta/0.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8dc9774227 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,50 @@ +--- +description: Pipeline for CyberArk PTA + +processors: + - set: + field: ecs.version + value: '8.3.0' + - set: + field: event.action + value: "{{cef.extensions.deviceCustomString5}}" + if: "ctx?.cef?.extensions?.deviceCustomString5 != null && ctx?.cef?.extensions?.deviceCustomString5 != ''" + - set: + field: '@timestamp' + value: "{{cef.extensions.deviceCustomDate1}}" + ignore_empty_value: true + override: true + - set: + field: event.id + value: "{{cef.extensions.deviceCustomString2}}" + if: "ctx?.cef?.extensions?.deviceCustomString2 != null && ctx?.cef?.extensions?.deviceCustomString2 != ''" + - set: + field: event.reference + value: "{{cef.extensions.deviceCustomString3}}" + if: "ctx?.cef?.extensions?.deviceCustomString3 != null && ctx?.cef?.extensions?.deviceCustomString3 != ''" + - set: + field: event.url + value: "{{cef.extensions.deviceCustomString4}}" + if: "ctx?.cef?.extensions?.deviceCustomString4 != null && ctx?.cef?.extensions?.deviceCustomString4 != ''" + - set: + field: cyberark_pta.log.event_type + value: "{{cef.device.event_class_id}}" + if: "ctx?.cef?.device?.event_class_id != null && ctx?.cef?.device?.event_class_id != ''" + - rename: + field: message + target_field: event.reason + if: 'ctx.event?.reason == null' + + # cleanup 'None' for source or destination ip + - remove: + field: + - error + if: "ctx?.cef?.extensions?.sourceAddress == null || ctx?.cef?.extensions?.destinationAddress == null" + +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/fields/agent.yml b/packages/cyberark_pta/0.1.2/data_stream/events/fields/agent.yml new file mode 100755 index 0000000000..0179324b40 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/fields/agent.yml @@ -0,0 +1,6 @@ +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. +- name: input.type + type: keyword + description: Input type diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/fields/base-fields.yml b/packages/cyberark_pta/0.1.2/data_stream/events/fields/base-fields.yml new file mode 100755 index 0000000000..fa009b21a9 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cyberark_pta +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cyberark_pta.events +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/fields/cef.yml b/packages/cyberark_pta/0.1.2/data_stream/events/fields/cef.yml new file mode 100755 index 0000000000..25d4c7006c --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/fields/cef.yml @@ -0,0 +1,466 @@ +- name: cef.name + type: keyword +- name: cef.severity + type: keyword +- name: cef.version + type: keyword +- name: destination.service.name + type: keyword +- name: source.service.name + type: keyword +- name: cef.device + type: group + fields: + - name: event_class_id + type: keyword + description: Unique identifier of the event type. + - name: product + type: keyword + description: Product of the device that produced the message. + - name: vendor + type: keyword + description: Vendor of the device that produced the message. + - name: version + type: keyword + description: Version of the product that produced the message. +- name: cef.extensions + type: group + fields: + - name: agentAddress + type: ip + description: The IP address of the ArcSight connector that processed the event. + - name: agentHostName + type: keyword + description: The hostname of the ArcSight connector that processed the event. + - name: agentId + type: keyword + description: The agent ID of the ArcSight connector that processed the event. + - name: agentReceiptTime + type: date + description: The time at which information about the event was received by the ArcSight connector. + - name: agentTimeZone + type: keyword + description: The agent time zone of the ArcSight connector that processed the event. + - name: agentType + type: keyword + description: The agent type of the ArcSight connector that processed the event. + - name: destinationHostName + type: keyword + description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. + - name: deviceTimeZone + type: keyword + description: The time zone for the device generating the event. + - name: requestUrlFileName + type: keyword + - name: startTime + type: date + description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). + - name: type + type: long + description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). + - name: agentVersion + type: keyword + description: The version of the ArcSight connector that processed the event. + - name: agentZoneURI + type: keyword + - name: deviceSeverity + type: keyword + - name: deviceZoneURI + type: keyword + description: Thee URI for the Zone that the device asset has been assigned to in ArcSight. + - name: fileType + type: keyword + description: Type of file (pipe, socket, etc.) + - name: filename + type: keyword + description: Name of the file only (without its path). + - name: managerReceiptTime + type: date + description: When the Arcsight ESM received the event. + - name: agentMacAddress + type: keyword + description: The MAC address of the ArcSight connector that processed the event. + - name: deviceProcessName + type: keyword + description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX. + - name: baseEventCount + type: long + description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. + - name: dvc + type: ip + description: This field is used by Trend Micro if the hostname is an IPv4 address. + - name: dvchost + type: keyword + description: This field is used by Trend Micro for hostnames and IPv6 addresses. + - name: cp_app_risk + type: keyword + - name: cp_severity + type: keyword + - name: ifname + type: keyword + - name: inzone + type: keyword + - name: layer_uuid + type: keyword + - name: layer_name + type: keyword + - name: logid + type: keyword + - name: loguid + type: keyword + - name: match_id + type: keyword + - name: nat_addtnl_rulenum + type: keyword + - name: nat_rulenum + type: keyword + - name: origin + type: keyword + - name: originsicname + type: keyword + - name: outzone + type: keyword + - name: parent_rule + type: keyword + - name: product + type: keyword + - name: rule_action + type: keyword + - name: rule_uid + type: keyword + - name: sequencenum + type: keyword + - name: service_id + type: keyword + - name: version + type: keyword + - name: applicationProtocol + type: keyword + description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. + - name: categoryDeviceGroup + type: keyword + description: General device group like Firewall (ArcSight). + - name: categoryTechnique + type: keyword + description: Technique being used (e.g. /DoS) (ArcSight). + - name: deviceEventCategory + type: keyword + description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". + - name: sourceNtDomain + type: keyword + description: The Windows domain name for the source address. + - name: destinationNtDomain + type: keyword + description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). + - name: categoryOutcome + type: keyword + description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). + - name: categorySignificance + type: keyword + description: Characterization of the importance of the event (ArcSight). + - name: categoryObject + type: keyword + description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). + - name: categoryBehavior + type: keyword + description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight). + - name: categoryDeviceType + type: keyword + description: Device type. Examples - Proxy, IDS, Web Server (ArcSight). + - name: bytesIn + type: long + description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. + - name: bytesOut + type: long + description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. + - name: destinationAddress + type: ip + description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. + - name: destinationPort + type: long + description: The valid port numbers are between 0 and 65535. + - name: destinationServiceName + type: keyword + description: The service targeted by this event. + - name: destinationTranslatedAddress + type: ip + description: Identifies the translated destination that the event refers to in an IP network. + - name: destinationTranslatedPort + type: long + description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. + - name: destinationUserName + type: keyword + description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. + - name: destinationUserPrivileges + type: keyword + description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". + - name: deviceAction + type: keyword + description: Action taken by the device. + - name: deviceAddress + type: ip + description: Identifies the device address that an event refers to in an IP network. + - name: deviceCustomDate1 + type: keyword + description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomDate1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomDate2 + type: keyword + description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomDate2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomNumber1 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomNumber1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomNumber2 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomNumber2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomNumber3 + type: long + description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomNumber3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString1 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString2 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString3 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString4 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString5 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString5Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomString6 + type: keyword + description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. + - name: deviceCustomString6Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceDirection + type: long + description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. + - name: deviceExternalId + type: keyword + description: A name that uniquely identifies the device generating this event. + - name: deviceFacility + type: keyword + description: The facility generating this event. For example, Syslog has an explicit facility associated with every event. + - name: deviceHostName + type: keyword + description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. + - name: deviceOutboundInterface + type: keyword + description: Interface on which the packet or data left the device. + - name: deviceReceiptTime + type: keyword + description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) + - name: eventId + type: long + description: This is a unique ID that ArcSight assigns to each event. + - name: fileHash + type: keyword + description: Hash of a file. + - name: message + type: keyword + description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. + - name: oldFileHash + type: keyword + description: Hash of the old file. + - name: requestContext + type: keyword + description: Description of the content from which the request originated (for example, HTTP Referrer). + - name: requestMethod + type: keyword + description: The HTTP method used to access a URL. + - name: requestUrl + type: keyword + description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. + - name: method + type: keyword + description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + - name: sourceAddress + type: ip + description: Identifies the source that an event refers to in an IP network. + - name: sourceGeoLatitude + type: long + - name: sourceGeoLongitude + type: long + - name: sourcePort + type: long + description: The valid port numbers are 0 to 65535. + - name: sourceServiceName + type: keyword + description: The service that is responsible for generating this event. + - name: sourceTranslatedAddress + type: ip + description: Identifies the translated source that the event refers to in an IP network. + - name: sourceTranslatedPort + type: long + description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. + - name: sourceUserName + type: keyword + description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. + - name: sourceUserPrivileges + type: keyword + description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". + - name: transportProtocol + type: keyword + description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. + - name: ad + type: flattened + - name: TrendMicroDsDetectionConfidence + type: keyword + - name: TrendMicroDsFileMD5 + type: keyword + - name: TrendMicroDsFileSHA1 + type: keyword + - name: TrendMicroDsFileSHA256 + type: keyword + - name: TrendMicroDsFrameType + type: keyword + - name: TrendMicroDsMalwareTarget + type: keyword + - name: TrendMicroDsMalwareTargetType + type: keyword + - name: TrendMicroDsPacketData + type: keyword + - name: TrendMicroDsRelevantDetectionNames + type: keyword + - name: TrendMicroDsTenant + type: keyword + - name: TrendMicroDsTenantId + type: keyword + - name: assetCriticality + type: keyword + - name: deviceAssetId + type: keyword + - name: deviceCustomIPv6Address1 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address1Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomIPv6Address2 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address2Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomIPv6Address3 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address3Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceCustomIPv6Address4 + type: ip + description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. + - name: deviceCustomIPv6Address4Label + type: keyword + description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. + - name: deviceInboundInterface + type: keyword + description: Interface on which the packet or data entered the device. + - name: deviceZoneID + type: keyword + - name: eventAnnotationAuditTrail + type: keyword + - name: eventAnnotationEndTime + type: date + - name: eventAnnotationFlags + type: keyword + - name: eventAnnotationManagerReceiptTime + type: date + - name: eventAnnotationModificationTime + type: date + - name: eventAnnotationStageUpdateTime + type: date + - name: eventAnnotationVersion + type: keyword + - name: locality + type: keyword + - name: modelConfidence + type: keyword + - name: originalAgentAddress + type: keyword + - name: originalAgentHostName + type: keyword + - name: originalAgentId + type: keyword + - name: originalAgentType + type: keyword + - name: originalAgentVersion + type: keyword + - name: originalAgentZoneURI + type: keyword + - name: priority + type: keyword + - name: relevance + type: keyword + - name: severity + type: keyword + - name: sourceTranslatedZoneID + type: keyword + - name: sourceTranslatedZoneURI + type: keyword + description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. + - name: sourceZoneID + type: keyword + description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. + - name: sourceZoneURI + type: keyword + description: The URI for the Zone that the source asset has been assigned to in ArcSight. + - name: aggregationType + type: keyword + - name: destinationMacAddress + type: keyword + description: Six colon-separated hexadecimal numbers. + - name: filePath + type: keyword + description: Full path to the file, including file name itself. + - name: fileSize + type: long + description: Size of the file. + - name: repeatCount + type: keyword + - name: sourceHostName + type: keyword + description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. + - name: sourceMacAddress + type: keyword + description: Six colon-separated hexadecimal numbers. + - name: sourceUserId + type: keyword + description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. + - name: target + type: keyword diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/fields/ecs.yml b/packages/cyberark_pta/0.1.2/data_stream/events/fields/ecs.yml new file mode 100755 index 0000000000..7db289b877 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/fields/ecs.yml @@ -0,0 +1,89 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Reference URL linking to additional information about this event. + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.reference + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/fields/fields.yml b/packages/cyberark_pta/0.1.2/data_stream/events/fields/fields.yml new file mode 100755 index 0000000000..d6a6534db7 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/fields/fields.yml @@ -0,0 +1,6 @@ +- name: cyberark_pta.log + type: group + fields: + - name: event_type + type: keyword + description: A unique ID that identifies the event that is reported. diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/manifest.yml b/packages/cyberark_pta/0.1.2/data_stream/events/manifest.yml new file mode 100755 index 0000000000..5d835d12a6 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/manifest.yml @@ -0,0 +1,113 @@ +title: CyberArk PTA logs +type: logs +streams: + - input: udp + title: CyberArk PTA logs (UDP) + description: Collect CyberArk PTA logs using UDP input + template_path: udp.yml.hbs + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9301 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cyberark_pta + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: CyberArk PTA logs (TCP) + description: Collect CyberArk PTA logs using TCP input + template_path: tcp.yml.hbs + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9301 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cyberark_pta + - forwarded + - name: ssl + type: yaml + title: TLS configuration + multi: false + required: false + show_user: true + description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + default: | + #certificate: "/etc/server/cert.pem" + #key: "/etc/server/key.pem" + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cyberark_pta/0.1.2/data_stream/events/sample_event.json b/packages/cyberark_pta/0.1.2/data_stream/events/sample_event.json new file mode 100755 index 0000000000..5ad7e32872 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/data_stream/events/sample_event.json @@ -0,0 +1,102 @@ +{ + "@timestamp": "2014-01-01T12:05:00.000Z", + "agent": { + "ephemeral_id": "29757b50-508c-457f-b12f-4231a5e8dbb7", + "hostname": "docker-fleet-agent", + "id": "61c2aa93-e34e-4412-bd9b-ce85257847de", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cef": { + "device": { + "event_class_id": "1", + "product": "PTA", + "vendor": "CyberArk", + "version": "12.6" + }, + "extensions": { + "destinationAddress": "2.2.2.2", + "destinationHostName": "dev1.domain.com", + "destinationUserName": "andy@dev1.domain.com", + "deviceCustomDate1": "2014-01-01T12:05:00.000Z", + "deviceCustomDate1Label": "detectionDate", + "deviceCustomString1": "None", + "deviceCustomString1Label": "ExtraData", + "deviceCustomString2": "52b06812ec3500ed864c461e", + "deviceCustomString2Label": "EventID", + "deviceCustomString3": "https://1.1.1.1/incidents/52b06812ec3500ed864c461e", + "deviceCustomString3Label": "PTAlink", + "deviceCustomString4": "None", + "deviceCustomString4Label": "ExternalLink", + "sourceAddress": "1.1.1.1", + "sourceHostName": "prod1.domain.com", + "sourceUserName": "mike2@prod1.domain.com" + }, + "name": "Suspected credentials theft", + "severity": "8", + "version": "0" + }, + "cyberark_pta": { + "log": { + "event_type": "1" + } + }, + "data_stream": { + "dataset": "cyberark_pta.events", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "domain": "dev1.domain.com", + "ip": "2.2.2.2", + "user": { + "name": "andy@dev1.domain.com" + } + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "61c2aa93-e34e-4412-bd9b-ce85257847de", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "code": "1", + "dataset": "cyberark_pta.events", + "id": "52b06812ec3500ed864c461e", + "ingested": "2022-08-11T17:13:32Z", + "original": "CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.1.1.1 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=None", + "reason": "Suspected credentials theft", + "reference": "https://1.1.1.1/incidents/52b06812ec3500ed864c461e", + "severity": 8, + "url": "None" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.16.4:45956" + } + }, + "observer": { + "product": "PTA", + "vendor": "CyberArk", + "version": "12.6" + }, + "source": { + "domain": "prod1.domain.com", + "ip": "1.1.1.1", + "user": { + "name": "mike2@prod1.domain.com" + } + }, + "tags": [ + "preserve_original_event", + "cyberark_pta", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.2/docs/README.md b/packages/cyberark_pta/0.1.2/docs/README.md new file mode 100755 index 0000000000..0f06b54238 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/docs/README.md @@ -0,0 +1,309 @@ +# Cyberark Privileged Threat Analytics + +CyberArk's Privileged Threat Analytics (PTA) continuously monitors the use of privileged accounts that are managed in the CyberArk Privileged Access Security (PAS) platform. This integration collects analytics from PTA's syslog via CEF-formatted logs. + +### Configuration + +Follow the steps described under [Send PTA syslog records to SIEM](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm) documentation to setup the integration: + +- Sample syslog configuration for `systemparm.properties`: + +```ini +[SYSLOG] +syslog_outbound=[{"siem": "Elastic", "format": "CEF", "host": "SIEM_MACHINE_ADDRESS", "port": 9301, "protocol": "TCP"}] +``` + +### Example event +An example event for pta looks as following: + +```json +{ + "cef": { + "device": { + "event_class_id": "1", + "product": "PTA", + "vendor": "CyberArk", + "version": "12.6" + }, + "extensions": { + "destinationAddress": "175.16.199.0", + "destinationHostName": "dev1.domain.com", + "destinationUserName": "andy@dev1.domain.com", + "deviceCustomDate1": "2014-01-01T12:05:00.000Z", + "deviceCustomDate1Label": "detectionDate", + "deviceCustomString1": "None", + "deviceCustomString1Label": "ExtraData", + "deviceCustomString2": "52b06812ec3500ed864c461e", + "deviceCustomString2Label": "EventID", + "deviceCustomString3": "https://1.128.0.0/incidents/52b06812ec3500ed864c461e", + "deviceCustomString3Label": "PTAlink", + "deviceCustomString4": "https://myexternallink.com", + "deviceCustomString4Label": "ExternalLink", + "sourceAddress": "1.128.0.0", + "sourceHostName": "prod1.domain.com", + "sourceUserName": "mike2@prod1.domain.com" + }, + "name": "Suspected credentials theft", + "severity": "8", + "version": "0" + }, + "destination": { + "domain": "dev1.domain.com", + "ip": "175.16.199.0", + "user": { + "name": "andy@dev1.domain.com" + } + }, + "ecs": { + "version": "8.3.0" + }, + "event": { + "code": "1", + "created": [ + "2014-01-01T12:05:00.000Z" + ], + "id": [ + "52b06812ec3500ed864c461e" + ], + "ingested": "2022-07-28T14:05:49Z", + "original": "CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.128.0.0 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=175.16.199.0 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.128.0.0/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=https://myexternallink.com", + "reference": [ + "https://1.128.0.0/incidents/52b06812ec3500ed864c461e" + ], + "severity": 8, + "url": [ + "https://myexternallink.com" + ] + }, + "message": "Suspected credentials theft", + "observer": { + "product": "PTA", + "vendor": "CyberArk", + "version": "12.6" + }, + "source": { + "domain": "prod1.domain.com", + "ip": "1.128.0.0", + "user": { + "name": "mike2@prod1.domain.com" + } + }, + "tags": [ + "cyberark_pta", + "forwarded" + ] +} +``` + +**Exported fields** + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cef.device.event_class_id | Unique identifier of the event type. | keyword | +| cef.device.product | Product of the device that produced the message. | keyword | +| cef.device.vendor | Vendor of the device that produced the message. | keyword | +| cef.device.version | Version of the product that produced the message. | keyword | +| cef.extensions.TrendMicroDsDetectionConfidence | | keyword | +| cef.extensions.TrendMicroDsFileMD5 | | keyword | +| cef.extensions.TrendMicroDsFileSHA1 | | keyword | +| cef.extensions.TrendMicroDsFileSHA256 | | keyword | +| cef.extensions.TrendMicroDsFrameType | | keyword | +| cef.extensions.TrendMicroDsMalwareTarget | | keyword | +| cef.extensions.TrendMicroDsMalwareTargetType | | keyword | +| cef.extensions.TrendMicroDsPacketData | | keyword | +| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword | +| cef.extensions.TrendMicroDsTenant | | keyword | +| cef.extensions.TrendMicroDsTenantId | | keyword | +| cef.extensions.ad | | flattened | +| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip | +| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date | +| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword | +| cef.extensions.agentZoneURI | | keyword | +| cef.extensions.aggregationType | | keyword | +| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword | +| cef.extensions.assetCriticality | | keyword | +| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | long | +| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long | +| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long | +| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword | +| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword | +| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword | +| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword | +| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | +| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword | +| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword | +| cef.extensions.cp_app_risk | | keyword | +| cef.extensions.cp_severity | | keyword | +| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip | +| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword | +| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword | +| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword | +| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long | +| cef.extensions.destinationServiceName | The service targeted by this event. | keyword | +| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip | +| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long | +| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword | +| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword | +| cef.extensions.deviceAction | Action taken by the device. | keyword | +| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip | +| cef.extensions.deviceAssetId | | keyword | +| cef.extensions.deviceCustomDate1 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | +| cef.extensions.deviceCustomDate1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword | +| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip | +| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | +| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | +| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long | +| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword | +| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword | +| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long | +| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword | +| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword | +| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword | +| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword | +| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword | +| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword | +| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword | +| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword | +| cef.extensions.deviceSeverity | | keyword | +| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword | +| cef.extensions.deviceZoneID | | keyword | +| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword | +| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip | +| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword | +| cef.extensions.eventAnnotationAuditTrail | | keyword | +| cef.extensions.eventAnnotationEndTime | | date | +| cef.extensions.eventAnnotationFlags | | keyword | +| cef.extensions.eventAnnotationManagerReceiptTime | | date | +| cef.extensions.eventAnnotationModificationTime | | date | +| cef.extensions.eventAnnotationStageUpdateTime | | date | +| cef.extensions.eventAnnotationVersion | | keyword | +| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long | +| cef.extensions.fileHash | Hash of a file. | keyword | +| cef.extensions.filePath | Full path to the file, including file name itself. | keyword | +| cef.extensions.fileSize | Size of the file. | long | +| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword | +| cef.extensions.filename | Name of the file only (without its path). | keyword | +| cef.extensions.ifname | | keyword | +| cef.extensions.inzone | | keyword | +| cef.extensions.layer_name | | keyword | +| cef.extensions.layer_uuid | | keyword | +| cef.extensions.locality | | keyword | +| cef.extensions.logid | | keyword | +| cef.extensions.loguid | | keyword | +| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date | +| cef.extensions.match_id | | keyword | +| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword | +| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| cef.extensions.modelConfidence | | keyword | +| cef.extensions.nat_addtnl_rulenum | | keyword | +| cef.extensions.nat_rulenum | | keyword | +| cef.extensions.oldFileHash | Hash of the old file. | keyword | +| cef.extensions.origin | | keyword | +| cef.extensions.originalAgentAddress | | keyword | +| cef.extensions.originalAgentHostName | | keyword | +| cef.extensions.originalAgentId | | keyword | +| cef.extensions.originalAgentType | | keyword | +| cef.extensions.originalAgentVersion | | keyword | +| cef.extensions.originalAgentZoneURI | | keyword | +| cef.extensions.originsicname | | keyword | +| cef.extensions.outzone | | keyword | +| cef.extensions.parent_rule | | keyword | +| cef.extensions.priority | | keyword | +| cef.extensions.product | | keyword | +| cef.extensions.relevance | | keyword | +| cef.extensions.repeatCount | | keyword | +| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword | +| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword | +| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword | +| cef.extensions.requestUrlFileName | | keyword | +| cef.extensions.rule_action | | keyword | +| cef.extensions.rule_uid | | keyword | +| cef.extensions.sequencenum | | keyword | +| cef.extensions.service_id | | keyword | +| cef.extensions.severity | | keyword | +| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip | +| cef.extensions.sourceGeoLatitude | | long | +| cef.extensions.sourceGeoLongitude | | long | +| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword | +| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword | +| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword | +| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long | +| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword | +| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip | +| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long | +| cef.extensions.sourceTranslatedZoneID | | keyword | +| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword | +| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | +| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword | +| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword | +| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword | +| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword | +| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date | +| cef.extensions.target | | keyword | +| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword | +| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long | +| cef.extensions.version | | keyword | +| cef.name | | keyword | +| cef.severity | | keyword | +| cef.version | | keyword | +| cyberark_pta.log.event_type | A unique ID that identifies the event that is reported. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.service.name | | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| input.type | Input type | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| observer.product | The product name of the observer. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.service.name | | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/cyberark_pta/0.1.2/img/cyberarkpta-overview.png b/packages/cyberark_pta/0.1.2/img/cyberarkpta-overview.png new file mode 100755 index 0000000000..0992ada152 Binary files /dev/null and b/packages/cyberark_pta/0.1.2/img/cyberarkpta-overview.png differ diff --git a/packages/cyberark_pta/0.1.2/img/logo.svg b/packages/cyberark_pta/0.1.2/img/logo.svg new file mode 100755 index 0000000000..04930adfd8 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/img/logo.svg @@ -0,0 +1 @@ +Asset 25 diff --git a/packages/cyberark_pta/0.1.2/kibana/dashboard/cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d.json b/packages/cyberark_pta/0.1.2/kibana/dashboard/cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d.json new file mode 100755 index 0000000000..d94d095b40 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/kibana/dashboard/cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "description": "Dashboard for CyberArk Privileged Threat Analytics events.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_phrase\":{\"event.dataset\":\"cyberark_pta.events\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7\":{\"columnOrder\":[\"74fa8240-d450-412a-8343-149d05d4d536\"],\"columns\":{\"74fa8240-d450-412a-8343-149d05d4d536\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"74fa8240-d450-412a-8343-149d05d4d536\",\"layerId\":\"3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"562dd571-d7e2-4794-91e9-b78eff36e41c\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"562dd571-d7e2-4794-91e9-b78eff36e41c\",\"title\":\"[CyberArk PTA] Count of events\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87eed888-756f-45b0-993b-44ad2b1e23a5\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87eed888-756f-45b0-993b-44ad2b1e23a5\":{\"columnOrder\":[\"852d53bc-8cf4-47fc-8b40-98ed13472e85\",\"62d6a234-31da-42e3-8fe9-38d2744955b3\",\"2af7beda-39a4-4d42-b785-a609549ba02f\",\"9e57e808-1389-458e-8811-5018ea30823e\",\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\"],\"columns\":{\"2af7beda-39a4-4d42-b785-a609549ba02f\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destintation IPs\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"62d6a234-31da-42e3-8fe9-38d2744955b3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"source.user.name\"},\"852d53bc-8cf4-47fc-8b40-98ed13472e85\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IPs\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"},\"9e57e808-1389-458e-8811-5018ea30823e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination users\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.user.name\"},\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"852d53bc-8cf4-47fc-8b40-98ed13472e85\",\"isTransposed\":false},{\"columnId\":\"62d6a234-31da-42e3-8fe9-38d2744955b3\",\"isTransposed\":false},{\"columnId\":\"2af7beda-39a4-4d42-b785-a609549ba02f\",\"isTransposed\":false},{\"columnId\":\"9e57e808-1389-458e-8811-5018ea30823e\",\"isTransposed\":false},{\"columnId\":\"e72df46d-8fd3-4442-a0ea-e39b53ba949a\",\"isTransposed\":false}],\"layerId\":\"87eed888-756f-45b0-993b-44ad2b1e23a5\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"38bad184-b84b-4b7b-9f09-10b1ee987963\",\"w\":19,\"x\":8,\"y\":0},\"panelIndex\":\"38bad184-b84b-4b7b-9f09-10b1ee987963\",\"title\":\"[CyberArk PTA] Top 5 source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5df39b58-343e-4c36-bc61-c70ebbb8ebb6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5df39b58-343e-4c36-bc61-c70ebbb8ebb6\":{\"columnOrder\":[\"2aa9a568-b27e-4dbc-8a00-3f450389045b\",\"83a02722-c998-441f-88bb-84fb6a325083\",\"09539914-b19b-483b-a6cd-f60f284ad80e\"],\"columns\":{\"09539914-b19b-483b-a6cd-f60f284ad80e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\" \",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"2aa9a568-b27e-4dbc-8a00-3f450389045b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cyberark_pta.log.event_type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"09539914-b19b-483b-a6cd-f60f284ad80e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"cyberark_pta.log.event_type\"},\"83a02722-c998-441f-88bb-84fb6a325083\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"09539914-b19b-483b-a6cd-f60f284ad80e\"],\"layerId\":\"5df39b58-343e-4c36-bc61-c70ebbb8ebb6\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"2aa9a568-b27e-4dbc-8a00-3f450389045b\",\"xAccessor\":\"83a02722-c998-441f-88bb-84fb6a325083\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"ab604797-4f60-4588-9fcd-76b81d288a51\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"ab604797-4f60-4588-9fcd-76b81d288a51\",\"title\":\"[CyberArk PTA] Event types over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98a4e469-bec7-4f11-b02c-11ed260361bb\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98a4e469-bec7-4f11-b02c-11ed260361bb\":{\"columnOrder\":[\"8062269c-4098-4119-bad3-91a03e69f75d\",\"6f7d9103-48dd-4fc0-8240-fd9f6584ff57\"],\"columns\":{\"6f7d9103-48dd-4fc0-8240-fd9f6584ff57\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8062269c-4098-4119-bad3-91a03e69f75d\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"event.severity\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.severity\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"8062269c-4098-4119-bad3-91a03e69f75d\"],\"layerId\":\"98a4e469-bec7-4f11-b02c-11ed260361bb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6f7d9103-48dd-4fc0-8240-fd9f6584ff57\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b\",\"w\":8,\"x\":0,\"y\":7},\"panelIndex\":\"7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b\",\"title\":\"[CyberArk PTA] Distribution of events by severity\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d\",\"w\":48,\"x\":0,\"y\":18},\"panelIndex\":\"3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d\",\"panelRefName\":\"panel_3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d\",\"type\":\"search\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[CyberArk PTA] Event overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cyberark_pta-eea41650-18bd-11ed-9abd-41a4c44d6e7d", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "562dd571-d7e2-4794-91e9-b78eff36e41c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "562dd571-d7e2-4794-91e9-b78eff36e41c:indexpattern-datasource-layer-3e6332a5-6ad3-41e6-9bb5-6ec2abd887f7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38bad184-b84b-4b7b-9f09-10b1ee987963:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38bad184-b84b-4b7b-9f09-10b1ee987963:indexpattern-datasource-layer-87eed888-756f-45b0-993b-44ad2b1e23a5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38bad184-b84b-4b7b-9f09-10b1ee987963:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab604797-4f60-4588-9fcd-76b81d288a51:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab604797-4f60-4588-9fcd-76b81d288a51:indexpattern-datasource-layer-5df39b58-343e-4c36-bc61-c70ebbb8ebb6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b:indexpattern-datasource-layer-98a4e469-bec7-4f11-b02c-11ed260361bb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f633d2a-b148-4b8c-bfe3-1a80bfe1d13b:filter-index-pattern-0", + "type": "index-pattern" + }, + { + "id": "cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d", + "name": "3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d:panel_3e7ba89f-9ab3-47ea-93bc-2a4e47d0c08d", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.2/kibana/search/cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d.json b/packages/cyberark_pta/0.1.2/kibana/search/cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d.json new file mode 100755 index 0000000000..2a4b107910 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/kibana/search/cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "columns": [ + "event.reason", + "event.id", + "event.severity", + "event.reference" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"cyberark_pta.events\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"cyberark_pta.events\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "[CyberArk PTA] Overview" + }, + "coreMigrationVersion": "7.17.0", + "id": "cyberark_pta-b36467d0-18c1-11ed-9abd-41a4c44d6e7d", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/cyberark_pta/0.1.2/manifest.yml b/packages/cyberark_pta/0.1.2/manifest.yml new file mode 100755 index 0000000000..204f9c7a43 --- /dev/null +++ b/packages/cyberark_pta/0.1.2/manifest.yml @@ -0,0 +1,34 @@ +name: cyberark_pta +title: Cyberark Privileged Threat Analytics +version: 0.1.2 +release: beta +license: basic +description: Collect security logs from Cyberark PTA integration. +type: integration +format_version: 1.0.0 +categories: ["security"] +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/cyberarkpta-overview.png + title: cyberark pta overview + size: 600x600 + type: image/png +policy_templates: + - name: cyberark_pta + title: CyberArk Privileged Threat Analytics logs + description: Collect logs from syslog + inputs: + - type: tcp + title: CyberArk PTA via TCP + description: 'Collecting from CyberArk PTA via TCP' + - type: udp + title: CyberArk PTA via UDP + description: 'Collecting logs from CyberArk PTA via UDP' +icons: + - src: /img/logo.svg + title: CyberArk logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/cylance/0.10.2/LICENSE.txt b/packages/cylance/0.10.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/cylance/0.10.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/cylance/0.10.2/changelog.yml b/packages/cylance/0.10.2/changelog.yml new file mode 100755 index 0000000000..07e13dff06 --- /dev/null +++ b/packages/cylance/0.10.2/changelog.yml @@ -0,0 +1,116 @@ +# newer versions go on top +- version: "0.10.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4401 +- version: "0.10.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "0.10.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3865 +- version: "0.9.1" + changes: + - description: Added link to vendor documentation in readme.md + type: enhancement + link: https://github.com/elastic/integrations/pull/2960 +- version: "0.9.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.8.1" + changes: + - description: Format host.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3368 +- version: "0.8.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "0.7.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2583 +- version: "0.6.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.6.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2228 +- version: "0.5.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2025 +- version: "0.5.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1963 +- version: "0.5.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.5.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1815 +- version: "0.5.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1658 +- version: "0.4.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.4.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1475 +- version: '0.4.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1381 +- version: "0.4.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.3.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1261 +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1040 +- version: "0.1.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/843 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/cylance/0.10.2/data_stream/protect/agent/stream/stream.yml.hbs b/packages/cylance/0.10.2/data_stream/protect/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..d128dbb819 --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/agent/stream/stream.yml.hbs @@ -0,0 +1,3592 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + + var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var dup5 = setc("eventcategory","1901000000"); + + var dup6 = setc("vendor_event_cat"," AuditLog"); + + var dup7 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup8 = field("event_type"); + + var dup9 = field("event_cat"); + + var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var dup18 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], + }); + + var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var dup20 = constant("1701000000"); + + var dup21 = constant("1804000000"); + + var dup22 = constant("1003010000"); + + var dup23 = linear_select([ + dup3, + dup4, + ]); + + var dup24 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup8, + }); + + var dup25 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup9, + }); + + var dup26 = linear_select([ + dup11, + dup12, + ]); + + var dup27 = linear_select([ + dup14, + dup15, + ]); + + var dup28 = linear_select([ + dup16, + dup17, + ]); + + var dup29 = linear_select([ + dup19, + dup13, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + + var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); + + var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); + + var select2 = linear_select([ + part2, + part3, + ]); + + var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); + + var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + + var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); + + var select3 = linear_select([ + part5, + part6, + ]); + + var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all1 = all_match({ + processors: [ + dup2, + dup23, + part1, + select2, + part4, + select3, + part7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg1 = msg("CylancePROTECT:01", all1); + + var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + + var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + + var select4 = linear_select([ + part8, + part9, + ]); + + var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); + + var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); + + var select5 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + + var all2 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select4, + select5, + part12, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg2 = msg("CylancePROTECT:02", all2); + + var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + + var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + + var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + + var select6 = linear_select([ + part13, + part14, + part15, + ]); + + var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all3 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg3 = msg("CylancePROTECT:03", all3); + + var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all4 = all_match({ + processors: [ + dup2, + dup23, + part17, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg4 = msg("CylancePROTECT:04", all4); + + var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + + var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + + var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + + var select7 = linear_select([ + part18, + part19, + part20, + ]); + + var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + + var all5 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select7, + part21, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg5 = msg("CylancePROTECT:05", all5); + + var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + + var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + + var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + + var select8 = linear_select([ + part23, + part24, + ]); + + var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + + var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); + + var select9 = linear_select([ + part25, + part26, + ]); + + var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + + var all6 = all_match({ + processors: [ + dup2, + dup23, + part22, + select8, + select9, + part27, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg6 = msg("CylancePROTECT:06", all6); + + var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + + var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + + var select10 = linear_select([ + part28, + part29, + ]); + + var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + + var all7 = all_match({ + processors: [ + dup2, + select10, + part30, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ExploitAttempt"), + dup7, + dup24, + dup25, + ]), + }); + + var msg7 = msg("CylancePROTECT:07", all7); + + var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + + var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + + var select11 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + + var all8 = all_match({ + processors: [ + dup2, + select11, + part33, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," DeviceControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg8 = msg("CylancePROTECT:08", all8); + + var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + + var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + + var select12 = linear_select([ + part35, + dup13, + ]); + + var all9 = all_match({ + processors: [ + dup2, + dup26, + part34, + select12, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ScriptControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg9 = msg("CylancePROTECT:09", all9); + + var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + + var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); + + var select13 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + + var all10 = all_match({ + processors: [ + dup2, + select13, + part38, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," Threat"), + dup7, + dup24, + dup25, + ]), + }); + + var msg10 = msg("CylancePROTECT:10", all10); + + var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + + var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); + + var select14 = linear_select([ + part39, + part40, + ]); + + var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + + var all11 = all_match({ + processors: [ + dup2, + select14, + part41, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," AppControl"), + dup24, + dup25, + ]), + }); + + var msg11 = msg("CylancePROTECT:11", all11); + + var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + + var all12 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg12 = msg("CylancePROTECT:15", all12); + + var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all13 = all_match({ + processors: [ + dup2, + dup27, + part43, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg13 = msg("CylancePROTECT:14", all13); + + var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup27, + part44, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg14 = msg("CylancePROTECT:13", all14); + + var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + + var all15 = all_match({ + processors: [ + dup2, + dup27, + part45, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg15 = msg("CylancePROTECT:16", all15); + + var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + + var all16 = all_match({ + processors: [ + dup2, + dup26, + part46, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg16 = msg("CylancePROTECT:25", all16); + + var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + + var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + + var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + + var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); + + var select15 = linear_select([ + part48, + part49, + part50, + ]); + + var all17 = all_match({ + processors: [ + dup2, + dup27, + part47, + select15, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg17 = msg("CylancePROTECT:12", all17); + + var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + + var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + + var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); + + var select16 = linear_select([ + part52, + part53, + ]); + + var all18 = all_match({ + processors: [ + part51, + select16, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg18 = msg("CylancePROTECT:17", all18); + + var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg19 = msg("CylancePROTECT:18", part54); + + var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + + var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); + + var select17 = linear_select([ + part56, + dup13, + ]); + + var all19 = all_match({ + processors: [ + part55, + select17, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg20 = msg("CylancePROTECT:19", all19); + + var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + + var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + + var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + + var select18 = linear_select([ + part58, + part59, + ]); + + var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); + + var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); + + var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); + + var select19 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + + var all20 = all_match({ + processors: [ + part57, + select18, + part60, + select19, + part63, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg21 = msg("CylancePROTECT:20", all20); + + var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), + ])); + + var msg22 = msg("CylancePROTECT:21", part64); + + var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + + var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + + var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + + var select20 = linear_select([ + part66, + part67, + ]); + + var all21 = all_match({ + processors: [ + part65, + select20, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg23 = msg("CylancePROTECT:22", all21); + + var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg24 = msg("CylancePROTECT:23", part68); + + var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + + var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); + + var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); + + var select21 = linear_select([ + part70, + part71, + ]); + + var all22 = all_match({ + processors: [ + part69, + select21, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg25 = msg("CylancePROTECT:24", all22); + + var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var all23 = all_match({ + processors: [ + part72, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg26 = msg("CylancePROTECT:26", all23); + + var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + + var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + + var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + + var select22 = linear_select([ + part74, + part75, + ]); + + var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + + var select23 = linear_select([ + part77, + dup13, + ]); + + var all24 = all_match({ + processors: [ + part73, + select22, + part76, + select23, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg27 = msg("CylancePROTECT:27", all24); + + var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + + var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); + + var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); + + var select24 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); + + var all25 = all_match({ + processors: [ + part78, + select24, + part81, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg28 = msg("CylancePROTECT:28", all25); + + var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), + ]); + + var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + + var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var select26 = linear_select([ + dup3, + dup4, + ]); + + var select27 = linear_select([ + dup11, + dup12, + ]); + + var select28 = linear_select([ + dup14, + dup15, + ]); + + var select29 = linear_select([ + dup16, + dup17, + ]); + + var select30 = linear_select([ + dup19, + dup13, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cylance/0.10.2/data_stream/protect/agent/stream/tcp.yml.hbs b/packages/cylance/0.10.2/data_stream/protect/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b01c278ac2 --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/agent/stream/tcp.yml.hbs @@ -0,0 +1,3589 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + + var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var dup5 = setc("eventcategory","1901000000"); + + var dup6 = setc("vendor_event_cat"," AuditLog"); + + var dup7 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup8 = field("event_type"); + + var dup9 = field("event_cat"); + + var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var dup18 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], + }); + + var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var dup20 = constant("1701000000"); + + var dup21 = constant("1804000000"); + + var dup22 = constant("1003010000"); + + var dup23 = linear_select([ + dup3, + dup4, + ]); + + var dup24 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup8, + }); + + var dup25 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup9, + }); + + var dup26 = linear_select([ + dup11, + dup12, + ]); + + var dup27 = linear_select([ + dup14, + dup15, + ]); + + var dup28 = linear_select([ + dup16, + dup17, + ]); + + var dup29 = linear_select([ + dup19, + dup13, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + + var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); + + var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); + + var select2 = linear_select([ + part2, + part3, + ]); + + var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); + + var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + + var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); + + var select3 = linear_select([ + part5, + part6, + ]); + + var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all1 = all_match({ + processors: [ + dup2, + dup23, + part1, + select2, + part4, + select3, + part7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg1 = msg("CylancePROTECT:01", all1); + + var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + + var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + + var select4 = linear_select([ + part8, + part9, + ]); + + var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); + + var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); + + var select5 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + + var all2 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select4, + select5, + part12, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg2 = msg("CylancePROTECT:02", all2); + + var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + + var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + + var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + + var select6 = linear_select([ + part13, + part14, + part15, + ]); + + var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all3 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg3 = msg("CylancePROTECT:03", all3); + + var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all4 = all_match({ + processors: [ + dup2, + dup23, + part17, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg4 = msg("CylancePROTECT:04", all4); + + var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + + var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + + var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + + var select7 = linear_select([ + part18, + part19, + part20, + ]); + + var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + + var all5 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select7, + part21, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg5 = msg("CylancePROTECT:05", all5); + + var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + + var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + + var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + + var select8 = linear_select([ + part23, + part24, + ]); + + var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + + var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); + + var select9 = linear_select([ + part25, + part26, + ]); + + var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + + var all6 = all_match({ + processors: [ + dup2, + dup23, + part22, + select8, + select9, + part27, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg6 = msg("CylancePROTECT:06", all6); + + var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + + var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + + var select10 = linear_select([ + part28, + part29, + ]); + + var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + + var all7 = all_match({ + processors: [ + dup2, + select10, + part30, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ExploitAttempt"), + dup7, + dup24, + dup25, + ]), + }); + + var msg7 = msg("CylancePROTECT:07", all7); + + var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + + var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + + var select11 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + + var all8 = all_match({ + processors: [ + dup2, + select11, + part33, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," DeviceControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg8 = msg("CylancePROTECT:08", all8); + + var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + + var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + + var select12 = linear_select([ + part35, + dup13, + ]); + + var all9 = all_match({ + processors: [ + dup2, + dup26, + part34, + select12, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ScriptControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg9 = msg("CylancePROTECT:09", all9); + + var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + + var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); + + var select13 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + + var all10 = all_match({ + processors: [ + dup2, + select13, + part38, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," Threat"), + dup7, + dup24, + dup25, + ]), + }); + + var msg10 = msg("CylancePROTECT:10", all10); + + var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + + var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); + + var select14 = linear_select([ + part39, + part40, + ]); + + var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + + var all11 = all_match({ + processors: [ + dup2, + select14, + part41, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," AppControl"), + dup24, + dup25, + ]), + }); + + var msg11 = msg("CylancePROTECT:11", all11); + + var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + + var all12 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg12 = msg("CylancePROTECT:15", all12); + + var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all13 = all_match({ + processors: [ + dup2, + dup27, + part43, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg13 = msg("CylancePROTECT:14", all13); + + var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup27, + part44, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg14 = msg("CylancePROTECT:13", all14); + + var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + + var all15 = all_match({ + processors: [ + dup2, + dup27, + part45, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg15 = msg("CylancePROTECT:16", all15); + + var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + + var all16 = all_match({ + processors: [ + dup2, + dup26, + part46, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg16 = msg("CylancePROTECT:25", all16); + + var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + + var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + + var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + + var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); + + var select15 = linear_select([ + part48, + part49, + part50, + ]); + + var all17 = all_match({ + processors: [ + dup2, + dup27, + part47, + select15, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg17 = msg("CylancePROTECT:12", all17); + + var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + + var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + + var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); + + var select16 = linear_select([ + part52, + part53, + ]); + + var all18 = all_match({ + processors: [ + part51, + select16, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg18 = msg("CylancePROTECT:17", all18); + + var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg19 = msg("CylancePROTECT:18", part54); + + var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + + var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); + + var select17 = linear_select([ + part56, + dup13, + ]); + + var all19 = all_match({ + processors: [ + part55, + select17, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg20 = msg("CylancePROTECT:19", all19); + + var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + + var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + + var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + + var select18 = linear_select([ + part58, + part59, + ]); + + var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); + + var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); + + var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); + + var select19 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + + var all20 = all_match({ + processors: [ + part57, + select18, + part60, + select19, + part63, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg21 = msg("CylancePROTECT:20", all20); + + var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), + ])); + + var msg22 = msg("CylancePROTECT:21", part64); + + var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + + var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + + var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + + var select20 = linear_select([ + part66, + part67, + ]); + + var all21 = all_match({ + processors: [ + part65, + select20, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg23 = msg("CylancePROTECT:22", all21); + + var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg24 = msg("CylancePROTECT:23", part68); + + var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + + var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); + + var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); + + var select21 = linear_select([ + part70, + part71, + ]); + + var all22 = all_match({ + processors: [ + part69, + select21, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg25 = msg("CylancePROTECT:24", all22); + + var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var all23 = all_match({ + processors: [ + part72, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg26 = msg("CylancePROTECT:26", all23); + + var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + + var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + + var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + + var select22 = linear_select([ + part74, + part75, + ]); + + var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + + var select23 = linear_select([ + part77, + dup13, + ]); + + var all24 = all_match({ + processors: [ + part73, + select22, + part76, + select23, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg27 = msg("CylancePROTECT:27", all24); + + var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + + var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); + + var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); + + var select24 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); + + var all25 = all_match({ + processors: [ + part78, + select24, + part81, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg28 = msg("CylancePROTECT:28", all25); + + var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), + ]); + + var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + + var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var select26 = linear_select([ + dup3, + dup4, + ]); + + var select27 = linear_select([ + dup11, + dup12, + ]); + + var select28 = linear_select([ + dup14, + dup15, + ]); + + var select29 = linear_select([ + dup16, + dup17, + ]); + + var select30 = linear_select([ + dup19, + dup13, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cylance/0.10.2/data_stream/protect/agent/stream/udp.yml.hbs b/packages/cylance/0.10.2/data_stream/protect/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..85eadd5d19 --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/agent/stream/udp.yml.hbs @@ -0,0 +1,3589 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "Cylance" + product: "Protect" + type: "Anti-Virus" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld14->} %{p0}"); + + var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var dup5 = setc("eventcategory","1901000000"); + + var dup6 = setc("vendor_event_cat"," AuditLog"); + + var dup7 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup8 = field("event_type"); + + var dup9 = field("event_cat"); + + var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var dup18 = date_time({ + dest: "event_time", + args: ["hmonth","hdate","hhour","hmin","hsec"], + fmts: [ + [dB,dF,dN,dU,dO], + ], + }); + + var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var dup20 = constant("1701000000"); + + var dup21 = constant("1804000000"); + + var dup22 = constant("1003010000"); + + var dup23 = linear_select([ + dup3, + dup4, + ]); + + var dup24 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup8, + }); + + var dup25 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup9, + }); + + var dup26 = linear_select([ + dup11, + dup12, + ]); + + var dup27 = linear_select([ + dup14, + dup15, + ]); + + var dup28 = linear_select([ + dup16, + dup17, + ]); + + var dup29 = linear_select([ + dup19, + dup13, + ]); + + var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hfld1->} %{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0004", "message", "%{hdate}T%{htime}.%{hfld2->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ + setc("header_id","0004"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0003", "message", "%{hmonth->} %{hdate->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} CylancePROTECT Event Type:%{vendor_event_cat}, %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + ]); + + var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); + + var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); + + var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); + + var select2 = linear_select([ + part2, + part3, + ]); + + var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); + + var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + + var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); + + var select3 = linear_select([ + part5, + part6, + ]); + + var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all1 = all_match({ + processors: [ + dup2, + dup23, + part1, + select2, + part4, + select3, + part7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg1 = msg("CylancePROTECT:01", all1); + + var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); + + var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); + + var select4 = linear_select([ + part8, + part9, + ]); + + var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); + + var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); + + var select5 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + + var all2 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select4, + select5, + part12, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg2 = msg("CylancePROTECT:02", all2); + + var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); + + var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); + + var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); + + var select6 = linear_select([ + part13, + part14, + part15, + ]); + + var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all3 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg3 = msg("CylancePROTECT:03", all3); + + var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all4 = all_match({ + processors: [ + dup2, + dup23, + part17, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg4 = msg("CylancePROTECT:04", all4); + + var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); + + var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); + + var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); + + var select7 = linear_select([ + part18, + part19, + part20, + ]); + + var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + + var all5 = all_match({ + processors: [ + dup2, + dup23, + dup10, + select7, + part21, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg5 = msg("CylancePROTECT:05", all5); + + var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); + + var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); + + var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); + + var select8 = linear_select([ + part23, + part24, + ]); + + var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + + var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); + + var select9 = linear_select([ + part25, + part26, + ]); + + var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + + var all6 = all_match({ + processors: [ + dup2, + dup23, + part22, + select8, + select9, + part27, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup24, + dup25, + ]), + }); + + var msg6 = msg("CylancePROTECT:06", all6); + + var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); + + var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); + + var select10 = linear_select([ + part28, + part29, + ]); + + var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); + + var all7 = all_match({ + processors: [ + dup2, + select10, + part30, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ExploitAttempt"), + dup7, + dup24, + dup25, + ]), + }); + + var msg7 = msg("CylancePROTECT:07", all7); + + var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); + + var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); + + var select11 = linear_select([ + part31, + part32, + ]); + + var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); + + var all8 = all_match({ + processors: [ + dup2, + select11, + part33, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," DeviceControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg8 = msg("CylancePROTECT:08", all8); + + var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); + + var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); + + var select12 = linear_select([ + part35, + dup13, + ]); + + var all9 = all_match({ + processors: [ + dup2, + dup26, + part34, + select12, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," ScriptControl"), + dup7, + dup24, + dup25, + ]), + }); + + var msg9 = msg("CylancePROTECT:09", all9); + + var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); + + var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); + + var select13 = linear_select([ + part36, + part37, + ]); + + var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); + + var all10 = all_match({ + processors: [ + dup2, + select13, + part38, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," Threat"), + dup7, + dup24, + dup25, + ]), + }); + + var msg10 = msg("CylancePROTECT:10", all10); + + var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); + + var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); + + var select14 = linear_select([ + part39, + part40, + ]); + + var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); + + var all11 = all_match({ + processors: [ + dup2, + select14, + part41, + ], + on_success: processor_chain([ + dup5, + setc("vendor_event_cat"," AppControl"), + dup24, + dup25, + ]), + }); + + var msg11 = msg("CylancePROTECT:11", all11); + + var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); + + var all12 = all_match({ + processors: [ + dup2, + dup27, + part42, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg12 = msg("CylancePROTECT:15", all12); + + var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + + var all13 = all_match({ + processors: [ + dup2, + dup27, + part43, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg13 = msg("CylancePROTECT:14", all13); + + var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); + + var all14 = all_match({ + processors: [ + dup2, + dup27, + part44, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg14 = msg("CylancePROTECT:13", all14); + + var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); + + var all15 = all_match({ + processors: [ + dup2, + dup27, + part45, + dup28, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg15 = msg("CylancePROTECT:16", all15); + + var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); + + var all16 = all_match({ + processors: [ + dup2, + dup26, + part46, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg16 = msg("CylancePROTECT:25", all16); + + var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); + + var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); + + var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); + + var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); + + var select15 = linear_select([ + part48, + part49, + part50, + ]); + + var all17 = all_match({ + processors: [ + dup2, + dup27, + part47, + select15, + ], + on_success: processor_chain([ + dup5, + dup7, + dup24, + dup25, + ]), + }); + + var msg17 = msg("CylancePROTECT:12", all17); + + var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); + + var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); + + var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); + + var select16 = linear_select([ + part52, + part53, + ]); + + var all18 = all_match({ + processors: [ + part51, + select16, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg18 = msg("CylancePROTECT:17", all18); + + var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg19 = msg("CylancePROTECT:18", part54); + + var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); + + var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); + + var select17 = linear_select([ + part56, + dup13, + ]); + + var all19 = all_match({ + processors: [ + part55, + select17, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg20 = msg("CylancePROTECT:19", all19); + + var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); + + var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); + + var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); + + var select18 = linear_select([ + part58, + part59, + ]); + + var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); + + var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); + + var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); + + var select19 = linear_select([ + part61, + part62, + ]); + + var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); + + var all20 = all_match({ + processors: [ + part57, + select18, + part60, + select19, + part63, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg21 = msg("CylancePROTECT:20", all20); + + var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + date_time({ + dest: "effective_time", + args: ["fld51"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dQ], + ], + }), + ])); + + var msg22 = msg("CylancePROTECT:21", part64); + + var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); + + var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); + + var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); + + var select20 = linear_select([ + part66, + part67, + ]); + + var all21 = all_match({ + processors: [ + part65, + select20, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg23 = msg("CylancePROTECT:22", all21); + + var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, + dup25, + ])); + + var msg24 = msg("CylancePROTECT:23", part68); + + var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); + + var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); + + var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); + + var select21 = linear_select([ + part70, + part71, + ]); + + var all22 = all_match({ + processors: [ + part69, + select21, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg25 = msg("CylancePROTECT:24", all22); + + var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var all23 = all_match({ + processors: [ + part72, + dup29, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg26 = msg("CylancePROTECT:26", all23); + + var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); + + var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); + + var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); + + var select22 = linear_select([ + part74, + part75, + ]); + + var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); + + var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); + + var select23 = linear_select([ + part77, + dup13, + ]); + + var all24 = all_match({ + processors: [ + part73, + select22, + part76, + select23, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg27 = msg("CylancePROTECT:27", all24); + + var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); + + var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); + + var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); + + var select24 = linear_select([ + part79, + part80, + ]); + + var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); + + var all25 = all_match({ + processors: [ + part78, + select24, + part81, + ], + on_success: processor_chain([ + dup5, + dup18, + dup24, + dup25, + ]), + }); + + var msg28 = msg("CylancePROTECT:28", all25); + + var select25 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "CylancePROTECT": select25, + }), + ]); + + var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); + + var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); + + var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); + + var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); + + var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); + + var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); + + var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); + + var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); + + var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); + + var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); + + var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); + + var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); + + var select26 = linear_select([ + dup3, + dup4, + ]); + + var select27 = linear_select([ + dup11, + dup12, + ]); + + var select28 = linear_select([ + dup14, + dup15, + ]); + + var select29 = linear_select([ + dup16, + dup17, + ]); + + var select30 = linear_select([ + dup19, + dup13, + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/cylance/0.10.2/data_stream/protect/elasticsearch/ingest_pipeline/default.yml b/packages/cylance/0.10.2/data_stream/protect/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..d7a205c69a --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,82 @@ +--- +description: Pipeline for CylanceProtect + +processors: + - set: + field: ecs.version + value: '8.4.0' + - gsub: + field: host.mac + ignore_missing: true + pattern: '[:]' + replacement: '-' + - uppercase: + field: host.mac + ignore_missing: true + - script: + description: Convert host.mac to an array. + if: ctx.host?.mac != null && ctx.host.mac instanceof String + lang: painless + source: + ctx.host.mac = [ctx.host.mac]; + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cylance/0.10.2/data_stream/protect/fields/base-fields.yml b/packages/cylance/0.10.2/data_stream/protect/fields/base-fields.yml new file mode 100755 index 0000000000..0e6d697031 --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/fields/base-fields.yml @@ -0,0 +1,43 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cylance +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cylance.protect +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/cylance/0.10.2/data_stream/protect/fields/ecs.yml b/packages/cylance/0.10.2/data_stream/protect/fields/ecs.yml new file mode 100755 index 0000000000..8431bd9f0a --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/fields/ecs.yml @@ -0,0 +1,542 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/cylance/0.10.2/data_stream/protect/fields/fields.yml b/packages/cylance/0.10.2/data_stream/protect/fields/fields.yml new file mode 100755 index 0000000000..489a873293 --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/fields/fields.yml @@ -0,0 +1,1753 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/cylance/0.10.2/data_stream/protect/manifest.yml b/packages/cylance/0.10.2/data_stream/protect/manifest.yml new file mode 100755 index 0000000000..842a9e3ea5 --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/manifest.yml @@ -0,0 +1,204 @@ +title: CylanceProtect logs +release: experimental +type: logs +streams: + - input: udp + title: CylanceProtect logs + description: Collect CylanceProtect logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cylance-protect + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9529 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: CylanceProtect logs + description: Collect CylanceProtect logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cylance-protect + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9529 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: CylanceProtect logs + description: Collect CylanceProtect logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/cylance-protect.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - cylance-protect + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cylance/0.10.2/data_stream/protect/sample_event.json b/packages/cylance/0.10.2/data_stream/protect/sample_event.json new file mode 100755 index 0000000000..e22298905d --- /dev/null +++ b/packages/cylance/0.10.2/data_stream/protect/sample_event.json @@ -0,0 +1,85 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "59f54338-3ade-4554-a66e-005e3f777eec", + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.1.3" + }, + "data_stream": { + "dataset": "cylance.protect", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "de9c1b8e-5967-4715-bc22-6f9dd52f6cc2", + "snapshot": false, + "version": "8.1.3" + }, + "event": { + "action": "ZoneAdd", + "agent_id_status": "verified", + "code": "CylancePROTECT", + "dataset": "cylance.protect", + "ingested": "2022-05-17T13:06:35Z", + "original": "29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore \u003c\u003csequa\u003eabo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo)", + "timezone": "+00:00" + }, + "host": { + "name": "nostrud4819.mail.test" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:40993" + } + }, + "observer": { + "product": "Protect", + "type": "Anti-Virus", + "vendor": "Cylance" + }, + "related": { + "hosts": [ + "nostrud4819.mail.test" + ] + }, + "rsa": { + "identity": { + "firstname": "uii", + "lastname": "umexe" + }, + "internal": { + "messageid": "CylancePROTECT" + }, + "investigations": { + "event_cat": 1901000000, + "event_cat_name": "Other.Default", + "event_vcat": " AuditLog" + }, + "misc": { + "event_type": "ZoneAdd", + "mail_id": "estlabo", + "node": "pisciv", + "policy_name": "orev" + }, + "network": { + "alias_host": [ + "nostrud4819.mail.test" + ] + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "forwarded", + "preserve_original_event" + ] +} \ No newline at end of file diff --git a/packages/cylance/0.10.2/docs/README.md b/packages/cylance/0.10.2/docs/README.md new file mode 100755 index 0000000000..ea9b9a927d --- /dev/null +++ b/packages/cylance/0.10.2/docs/README.md @@ -0,0 +1,796 @@ +# Cylance integration + +This integration is for [Cylance](https://www.blackberry.com/us/en/products/unified-endpoint-security/blackberry-protect) logs. It includes the following datasets for receiving logs over syslog or read from a file: + +- `protect` dataset: supports CylanceProtect logs. + +### Protect + +The `protect` dataset collects CylanceProtect logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/cylance/0.10.2/img/logo.svg b/packages/cylance/0.10.2/img/logo.svg new file mode 100755 index 0000000000..ccd6004d19 --- /dev/null +++ b/packages/cylance/0.10.2/img/logo.svg @@ -0,0 +1,82 @@ + + + + +Cylance_BB_Logo_RGB_Vert_Black + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/cylance/0.10.2/manifest.yml b/packages/cylance/0.10.2/manifest.yml new file mode 100755 index 0000000000..3802ad08e4 --- /dev/null +++ b/packages/cylance/0.10.2/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: cylance +title: CylanceProtect Logs +version: "0.10.2" +description: Collect logs from CylanceProtect devices with Elastic Agent. +categories: ["security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: protect + title: CylanceProtect + description: Collect CylanceProtect logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from CylanceProtect via UDP + description: Collecting syslog from CylanceProtect via UDP + - type: tcp + title: Collect logs from CylanceProtect via TCP + description: Collecting syslog from CylanceProtect via TCP + - type: logfile + title: Collect logs from CylanceProtect via file + description: Collecting syslog from CylanceProtect via file. +icons: + - src: /img/logo.svg + title: CylanceProtect logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/darktrace/0.1.2/LICENSE.txt b/packages/darktrace/0.1.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/darktrace/0.1.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/darktrace/0.1.2/changelog.yml b/packages/darktrace/0.1.2/changelog.yml new file mode 100755 index 0000000000..7cc05faccb --- /dev/null +++ b/packages/darktrace/0.1.2/changelog.yml @@ -0,0 +1,16 @@ +# newer versions go on top +- version: '0.1.2' + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4401 +- version: '0.1.1' + changes: + - description: Fix documentation + type: bugfix + link: https://github.com/elastic/integrations/pull/4427 +- version: '0.1.0' + changes: + - description: Initial Release. + type: enhancement + link: https://github.com/elastic/integrations/pull/4001 diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..7f34d9e5ec --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,50 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.url: {{url}}/aianalyst/incidentevents?includeacknowledged=true&includeincidenteventurl=true +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: header.DTAPI-Token + value: {{public_token}} + - set: + target: header.DTAPI-Date + value: '[[formatDate (now) "20060102T150405"]]' + - set: + target: url.params.starttime + value: '[[.cursor.last_execution_datetime]]' + default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' + - set: + target: url.params.endtime + value: '[[(now).UnixMilli]]' + - set: + target: header.DTAPI-Signature + value: '[[hmac "sha1" "{{private_token}}" (sprintf "%s?%s\n%s\n%s" .url.Path .url.RawQuery "{{public_token}}" (formatDate (now) "20060102T150405"))]]' +cursor: + last_execution_datetime: + value: '[[.last_response.url.params.Get "endtime"]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b1d260f0f9 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f342c4fa75 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..3b22b43d8b --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,856 @@ +--- +description: Pipeline for processing AI Analyst Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - grok: + field: message + patterns: + - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" + pattern_definitions: + FIELD: "[a-zA-Z]*" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.id + - json.createdAt + - json.activityId + - json.currentGroup + target_field: _id + ignore_missing: true + - set: + field: event.kind + value: alert + if: (['critical','suspicious'].contains(ctx.json?.category?.toLowerCase())) + - set: + field: event.kind + value: event + if: (['compliance','informational'].contains(ctx.json?.category?.toLowerCase())) + - set: + field: event.category + value: [threat] + if: ctx.event?.kind == 'alert' + - set: + field: event.type + value: [info] + - rename: + field: json.activityId + target_field: darktrace.ai_analyst_alert.activity_id + ignore_missing: true + - convert: + field: json.aiaScore + target_field: darktrace.ai_analyst_alert.aia_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.risk_score + copy_from: darktrace.ai_analyst_alert.aia_score + ignore_failure: true + - set: + field: event.risk_score_norm + copy_from: darktrace.ai_analyst_alert.aia_score + ignore_failure: true + - foreach: + field: json.attackPhases + if: ctx.json?.attackPhases instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value + type: long + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.attackPhases + target_field: darktrace.ai_analyst_alert.attack_phases + ignore_missing: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.did + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.did + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: host.id + value: '{{{_ingest._value.did}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: host.id + type: string + ignore_missing: true + on_failure: + - remove: + field: host.id + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.hostname + type: ip + target_field: _ingest._value._temp_.hostname_ip + ignore_missing: true + on_failure: + - append: + field: host.hostname + value: '{{{_ingest._value.hostname}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - set: + field: related.hosts + copy_from: host.hostname + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.identifier + target_field: _ingest._value._temp_.identifier_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: host.name + value: '{{{_ingest._value.identifier}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.identifier_ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: host.name + if: ctx.host?.name instanceof List + ignore_failure: true + processor: + append: + field: related.hosts + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.ip + target_field: _ingest._value._temp_.ip + type: ip + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: host.ip + value: '{{{_ingest._value._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + gsub: + field: _ingest._value.mac + target_field: _ingest._value.mac_address + pattern: '[:.]' + replacement: '-' + ignore_missing: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + uppercase: + field: _ingest._value.mac_address + ignore_missing: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: host.mac + value: '{{{_ingest._value.mac_address}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.sid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.sid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + remove: + field: + - _ingest._value._temp_ + - _ingest._value.mac + ignore_missing: true + - rename: + field: json.breachDevices + target_field: darktrace.ai_analyst_alert.breach_devices + ignore_missing: true + - rename: + field: json.category + target_field: darktrace.ai_analyst_alert.category + ignore_missing: true + - rename: + field: json.children + target_field: darktrace.ai_analyst_alert.children + ignore_missing: true + - set: + field: threat.enrichments.matched.id + copy_from: darktrace.ai_analyst_alert.children + ignore_failure: true + - date: + field: json.createdAt + target_field: darktrace.ai_analyst_alert.created_at + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.createdAt != null + on_failure: + - remove: + field: json.createdAt + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: darktrace.ai_analyst_alert.created_at + ignore_failure: true + - rename: + field: json.currentGroup + target_field: darktrace.ai_analyst_alert.current_group + ignore_missing: true + - set: + field: threat.group.id + copy_from: darktrace.ai_analyst_alert.current_group + ignore_failure: true + if: ctx.darktrace?.ai_analyst_alert?.current_group != null + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + convert: + field: _ingest._value.ip + target_field: _ingest._value._temp_.ip + type: ip + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + convert: + field: _ingest._value.hostname + target_field: _ingest._value._temp_.hostname_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: related.hosts + value: '{{{_ingest._value.hostname}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + convert: + field: _ingest._value.identifier + target_field: _ingest._value._temp_.identifier_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: related.hosts + value: '{{{_ingest._value.identifier}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.identifier_ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + gsub: + field: _ingest._value.mac + target_field: _ingest._value.mac_address + pattern: '[:.]' + replacement: '-' + ignore_missing: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + uppercase: + field: _ingest._value.mac_address + ignore_missing: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + remove: + field: + - _ingest._value._temp_ + - _ingest._value.mac + ignore_missing: true + - rename: + field: json.details + target_field: darktrace.ai_analyst_alert.details + ignore_missing: true + - convert: + field: json.groupByActivity + target_field: darktrace.ai_analyst_alert.group_by_activity + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: threat.group.id + copy_from: darktrace.ai_analyst_alert.activity_id + ignore_failure: true + if: ctx.threat?.group?.id == null && ctx.darktrace?.ai_analyst_alert?.group_by_activity == true + - rename: + field: json.groupCategory + target_field: darktrace.ai_analyst_alert.group_category + ignore_missing: true + - rename: + field: json.groupPreviousGroups + target_field: darktrace.ai_analyst_alert.group_previous_groups + ignore_missing: true + - convert: + field: json.groupScore + target_field: darktrace.ai_analyst_alert.group_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.groupingIds + target_field: darktrace.ai_analyst_alert.grouping_ids + ignore_missing: true + - rename: + field: json.id + target_field: darktrace.ai_analyst_alert.id + ignore_missing: true + - set: + field: event.id + copy_from: darktrace.ai_analyst_alert.id + ignore_failure: true + - uri_parts: + field: json.incidentEventUrl + target_field: darktrace.ai_analyst_alert.incident_event_url + if: ctx.json?.incidentEventUrl != null + keep_original: true + on_failure: + - remove: + field: json.incidentEventUrl + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.url + copy_from: darktrace.ai_analyst_alert.incident_event_url.original + ignore_failure: true + - convert: + field: json.acknowledged + target_field: darktrace.ai_analyst_alert.is_acknowledged + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.externalTriggered + target_field: darktrace.ai_analyst_alert.is_external_triggered + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.pinned + target_field: darktrace.ai_analyst_alert.is_pinned + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.userTriggered + target_field: darktrace.ai_analyst_alert.is_user_triggered + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Determine event.duration from starting and ending activity timestamp. + if: ctx.json?.periods instanceof List + lang: painless + ignore_failure: true + params: + NANOS_IN_A_MILLI_SECOND: 1000000 + source: + def duration = new ArrayList(); + for (event in ctx.json.periods) { + duration.add((event?.end - event?.start) * params.NANOS_IN_A_MILLI_SECOND); + } + ctx.event.duration = duration; + - foreach: + field: json.periods + if: ctx.json?.periods instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.end + target_field: _ingest._value.end + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.end + ignore_missing: true + - foreach: + field: json.periods + if: ctx.json?.periods instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.start + target_field: _ingest._value.start + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.start + ignore_missing: true + - rename: + field: json.periods + target_field: darktrace.ai_analyst_alert.periods + ignore_missing: true + - foreach: + field: darktrace.ai_analyst_alert.periods + if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List + ignore_failure: true + processor: + append: + field: event.end + value: '{{{_ingest._value.end}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: darktrace.ai_analyst_alert.periods + if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List + ignore_failure: true + processor: + append: + field: event.start + value: '{{{_ingest._value.start}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.timestamp + target_field: _ingest._value.timestamp + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.pbid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.pbid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.threatScore + target_field: _ingest._value.threat_score + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.threatScore + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.modelName + target_field: _ingest._value.model_name + ignore_missing: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + append: + field: rule.name + value: '{{{_ingest._value.model_name}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value.threatScore + ignore_missing: true + - rename: + field: json.relatedBreaches + target_field: darktrace.ai_analyst_alert.related_breaches + ignore_missing: true + - rename: + field: json.summariser + target_field: darktrace.ai_analyst_alert.summariser + ignore_missing: true + - rename: + field: json.summary + target_field: darktrace.ai_analyst_alert.summary + ignore_missing: true + - set: + field: message + copy_from: darktrace.ai_analyst_alert.summary + ignore_failure: true + - rename: + field: json.title + target_field: darktrace.ai_analyst_alert.title + ignore_missing: true + - set: + field: event.reason + copy_from: darktrace.ai_analyst_alert.title + ignore_failure: true + - remove: + field: json + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - darktrace.ai_analyst_alert.created_at + - darktrace.ai_analyst_alert.summary + - darktrace.ai_analyst_alert.id + - darktrace.ai_analyst_alert.title + - darktrace.ai_analyst_alert.aia_score + - darktrace.ai_analyst_alert.children + ignore_failure: true + ignore_missing: true + - foreach: + field: darktrace.ai_analyst_alert.related_breaches + if: ctx.darktrace?.ai_analyst_alert?.related_breaches instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.model_name + ignore_missing: true + ignore_failure: true + - foreach: + field: darktrace.ai_analyst_alert.periods + if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.start + - _ingest._value.end + ignore_missing: true + ignore_failure: true + - foreach: + field: darktrace.ai_analyst_alert.breach_devices + if: ctx.darktrace?.ai_analyst_alert?.breach_devices instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.did + - _ingest._value.mac_address + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/agent.yml b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/agent.yml new file mode 100755 index 0000000000..47d5be58da --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/agent.yml @@ -0,0 +1,164 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: '18D109' + description: >- + OS build information. + - name: os.codename + type: keyword + example: 'stretch' + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/base-fields.yml b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/base-fields.yml new file mode 100755 index 0000000000..f5f5a863f1 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: darktrace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: darktrace.ai_analyst_alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/ecs.yml b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/ecs.yml new file mode 100755 index 0000000000..26068c71d3 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/ecs.yml @@ -0,0 +1,153 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: The device or application that originated the Syslog message, if available. + name: log.syslog.appname + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. + name: log.syslog.hostname + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. + name: log.syslog.version + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Identifies the _id of the indicator document enriching the event. + name: threat.enrichments.matched.id + type: keyword +- description: |- + The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. + While not required, you can use a MITRE ATT&CK® group id. + name: threat.group.id + type: keyword diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/fields.yml b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/fields.yml new file mode 100755 index 0000000000..2a6a32bea6 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/fields/fields.yml @@ -0,0 +1,143 @@ +- name: darktrace.ai_analyst_alert + type: group + fields: + - name: activity_id + type: keyword + description: An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. + - name: aia_score + type: double + description: The score of the event as classified by AI Analyst - out of 100. + - name: attack_phases + type: long + description: Of the six attack phases, which phases are applicable to the activity. + - name: breach_devices + type: group + fields: + - name: did + type: long + description: The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. + - name: hostname + type: keyword + description: The hostname associated with the device, if available. + - name: identifier + type: keyword + description: An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. + - name: ip + type: keyword + description: The IP associated with the device. + - name: mac_address + type: keyword + description: The MAC address associated with the device. + - name: sid + type: long + description: The subnet id for the subnet the device is currently located in. + - name: subnet + type: keyword + description: The subnet label for the corresponding subnet, if available. + - name: category + type: keyword + description: The behavior category associated with the incident event. + - name: children + type: keyword + description: One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. + - name: created_at + type: date + description: Timestamp for event creation in epoch time. + - name: current_group + type: keyword + description: The UUID of the current incident this event belongs to. + - name: details + type: flattened + description: An array of multiple sections (sub-arrays) of event information. + - name: group_by_activity + type: boolean + description: Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). + - name: group_category + type: keyword + description: The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. + - name: group_previous_groups + type: keyword + description: If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. + - name: group_score + type: double + description: The current overall score of the incident this event is part of. + - name: grouping_ids + type: keyword + description: Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. + - name: id + type: keyword + description: A system field. + - name: incident_event_url + type: group + description: A URL to access the AI Analyst alert in the Threat Visualizer. + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: is_acknowledged + type: boolean + description: Whether the event has been acknowledged. + - name: is_external_triggered + type: boolean + description: Whether the event was created as a result of an externally triggered AI Analyst investigation. + - name: is_pinned + type: boolean + description: Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. + - name: is_user_triggered + type: boolean + description: Whether the event was created as a result of a user-triggered AI Analyst investigation. + - name: periods + type: group + fields: + - name: end + type: date + description: A timestamp for the end of the activity period in epoch time. + - name: start + type: date + description: A timestamp for the start of the activity period in epoch time. + - name: related_breaches + type: group + fields: + - name: model_name + type: keyword + description: The name of the model that breached. + - name: pbid + type: long + description: The policy breach ID unique identifier of the model breach. + - name: threat_score + type: long + description: The breach score of the associated model breach - out of 100. + - name: timestamp + type: date + description: The timestamp at which the model breach occurred in epoch time. + - name: summariser + type: keyword + description: A system field. + - name: summary + type: keyword + description: A textual summary of the suspicious activity. This example is abbreviated. + - name: title + type: keyword + description: A title describing the activity that occurred. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/manifest.yml b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/manifest.yml new file mode 100755 index 0000000000..6e056b2c96 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/manifest.yml @@ -0,0 +1,179 @@ +title: Collect AI Analyst Alert logs from Darktrace +type: logs +streams: + - input: httpjson + title: AI Analyst Alert logs + description: Collect AI Analyst Alert logs via API. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the AI Analyst Alert logs from Darktrace. NOTE:- Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Darktrace API. NOTE:- Supported units for this parameter are h/m/s. + default: 1m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-ai_analyst_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: AI Analyst Alert logs + description: Collect AI Analyst Alert logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9571 + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-ai_analyst_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: AI Analyst Alert logs + description: Collect AI Analyst Alert logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9574 + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-ai_analyst_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/sample_event.json b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/sample_event.json new file mode 100755 index 0000000000..fa6272b4ac --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/ai_analyst_alert/sample_event.json @@ -0,0 +1,241 @@ +{ + "@timestamp": "2021-08-03T14:48:09.240Z", + "agent": { + "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "ai_analyst_alert": { + "activity_id": "abcd1234", + "aia_score": 98, + "attack_phases": [ + 5 + ], + "breach_devices": [ + { + "did": 10, + "ip": "81.2.69.144", + "sid": 12, + "subnet": "VPN" + } + ], + "category": "critical", + "children": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ], + "created_at": "2021-08-03T14:48:09.240Z", + "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", + "details": [ + [ + { + "contents": [ + { + "type": "device", + "values": [ + { + "did": 10, + "ip": "175.16.199.1", + "sid": 12, + "subnet": "VPN" + } + ] + } + ], + "header": "Breaching Device" + } + ], + [ + { + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "end": 1628000141220, + "start": 1627985298683 + } + ] + }, + { + "key": "Number of unique IPs", + "type": "integer", + "values": [ + 16 + ] + }, + { + "key": "Targeted IP ranges include", + "type": "device", + "values": [ + { + "ip": "81.2.69.192" + }, + { + "ip": "175.16.199.1" + }, + { + "ip": "175.16.199.3" + } + ] + }, + { + "key": "Destination port", + "type": "integer", + "values": [ + 22 + ] + }, + { + "key": "Connection count", + "type": "integer", + "values": [ + 40 + ] + }, + { + "key": "Percentage successful", + "type": "percentage", + "values": [ + 100 + ] + } + ], + "header": "SSH Activity" + } + ] + ], + "group_by_activity": false, + "group_category": "critical", + "group_score": 72.9174234, + "grouping_ids": [ + "abcdef12" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "is_acknowledged": false, + "is_external_triggered": false, + "is_pinned": true, + "is_user_triggered": false, + "periods": [ + { + "end": "2021-08-03T14:15:41.220Z", + "start": "2021-08-03T10:08:18.683Z" + } + ], + "related_breaches": [ + { + "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", + "pbid": 1234, + "threat_score": 37, + "timestamp": "2021-08-03T13:25:57.000Z" + } + ], + "summariser": "AdminConnSummary", + "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "title": "Extensive Unusual SSH Connections" + } + }, + "data_stream": { + "dataset": "darktrace.ai_analyst_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "darktrace.ai_analyst_alert", + "duration": [ + 14842537000000 + ], + "end": [ + "2021-08-03T14:15:41.220Z" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "ingested": "2022-09-30T11:36:06Z", + "kind": "alert", + "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", + "reason": "Extensive Unusual SSH Connections", + "risk_score": 98, + "risk_score_norm": 98, + "start": [ + "2021-08-03T10:08:18.683Z" + ], + "type": [ + "info" + ] + }, + "host": { + "id": [ + "10" + ], + "ip": [ + "81.2.69.144" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.128.5:49066" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "related": { + "ip": [ + "81.2.69.144", + "175.16.199.1", + "81.2.69.192", + "175.16.199.3" + ] + }, + "rule": { + "name": [ + "Unusual Activity / Unusual Activity from Re-Activated Device" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace-ai_analyst_alert" + ], + "threat": { + "enrichments": { + "matched": { + "id": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ] + } + }, + "group": { + "id": "eabc1234-1234-1234-1234-cabcdefg0011" + } + } +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..8201241e03 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,53 @@ +config_version: 2 +interval: {{interval}} +request.method: GET +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.url: {{url}}/modelbreaches?expandenums=true&historicmodelonly=true&includeacknowledged=true&includebreachurl=true +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: header.DTAPI-Token + value: {{public_token}} + - set: + target: header.DTAPI-Date + value: '[[formatDate (now) "20060102T150405"]]' + - set: + target: url.params.group + value: 'device' + - set: + target: url.params.starttime + value: '[[.cursor.last_execution_datetime]]' + default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' + - set: + target: url.params.endtime + value: '[[(now).UnixMilli]]' + - set: + target: header.DTAPI-Signature + value: '[[hmac "sha1" "{{private_token}}" (sprintf "%s?%s\n%s\n%s" .url.Path .url.RawQuery "{{public_token}}" (formatDate (now) "20060102T150405"))]]' +cursor: + last_execution_datetime: + value: '[[toInt .last_event.time]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b1d260f0f9 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/udp.yml.hbs b/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f342c4fa75 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/0.1.2/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..126107e391 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1446 @@ +--- +description: Pipeline for processing Model Breach Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - grok: + field: message + patterns: + - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" + pattern_definitions: + FIELD: "[a-zA-Z]*" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.time + - json.creationTime + - json.pbid + - json.model.phid + target_field: _id + ignore_missing: true + - set: + field: event.kind + value: alert + if: (['critical','suspicious'].contains(ctx.json?.model?.category?.toLowerCase())) + - set: + field: event.kind + value: event + if: (['compliance','informational'].contains(ctx.json?.model?.category?.toLowerCase())) + - set: + field: event.category + value: [threat] + if: ctx.event?.kind == 'alert' + - set: + field: event.type + value: [info] + - script: + description: Dynamically map event.* fields from metric label. + lang: painless + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + source: + for (component in ctx.json.triggeredComponents) { + if (component?.metric?.label?.toLowerCase().contains('connection')) { + ctx.event?.type?.add('connection'); + if (ctx.event.category == null) { + ctx.event.category = new ArrayList(); + } + ctx.event.category.add('network'); + } + } + - foreach: + field: json.aianalystData + if: ctx.json?.aianalystData instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.related + ignore_failure: true + processor: + convert: + field: _ingest._value + type: long + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.aianalystData + target_field: darktrace.model_breach_alert.aianalyst_data + ignore_missing: true + - uri_parts: + field: json.breachUrl + target_field: darktrace.model_breach_alert.breach_url + if: ctx.json?.breachUrl != null + keep_original: true + on_failure: + - remove: + field: json.breachUrl + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.url + copy_from: darktrace.model_breach_alert.breach_url.original + ignore_failure: true + - convert: + field: json.commentCount + target_field: darktrace.model_breach_alert.comment.count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.creationTime + target_field: darktrace.model_breach_alert.creation_time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.creationTime != null + on_failure: + - remove: + field: json.creationTime + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.created + copy_from: darktrace.model_breach_alert.creation_time + ignore_failure: true + - convert: + field: json.devicescore + target_field: darktrace.model_breach_alert.device_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.device.credentials + target_field: darktrace.model_breach_alert.device.credentials + ignore_missing: true + - convert: + field: json.device.did + target_field: darktrace.model_breach_alert.device.did + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - remove: + field: darktrace.model_breach_alert.device.did + ignore_missing: true + if: ctx.darktrace?.model_breach_alert?.device?.did != null && ctx.darktrace?.model_breach_alert?.device?.did < 0 + - convert: + field: darktrace.model_breach_alert.device.did + target_field: host.id + type: string + ignore_missing: true + on_failure: + - remove: + field: darktrace.model_breach_alert.device.did + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.device.firstSeen + target_field: darktrace.model_breach_alert.device.first_seen + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.device?.firstSeen != null + on_failure: + - remove: + field: json.device.firstseen + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.device.hostname + target_field: json.device._temp_.hostname_ip + type: ip + ignore_missing: true + on_failure: + - set: + field: host.hostname + copy_from: json.device.hostname + ignore_failure: true + - append: + field: related.ip + value: '{{{json.device._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device.hostname + target_field: darktrace.model_breach_alert.device.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.device.ip + target_field: darktrace.model_breach_alert.device._temp_.ip + type: ip + ignore_failure: true + - append: + field: host.ip + value: '{{{darktrace.model_breach_alert.device._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.device.ip6 + target_field: darktrace.model_breach_alert.device._temp_.ip6 + type: ip + ignore_failure: true + - append: + field: host.ip + value: '{{{darktrace.model_breach_alert.device._temp_.ip6}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device.ip + target_field: darktrace.model_breach_alert.device.ip + ignore_missing: true + - rename: + field: json.device.ip6 + target_field: darktrace.model_breach_alert.device.ip6 + ignore_missing: true + - remove: + field: + - darktrace.model_breach_alert.device._temp_ + ignore_missing: true + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.ip + target_field: _ingest._value._temp_.ip + type: ip + ignore_failure: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.timems + target_field: _ingest._value.timems + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.timems + ignore_missing: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.time + target_field: _ingest._value.time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + - 'yyyy-MM-dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.time + ignore_missing: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.sid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.sid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value._temp_ + ignore_missing: true + - rename: + field: json.device.ips + target_field: darktrace.model_breach_alert.device.ips + ignore_missing: true + - date: + field: json.device.lastSeen + target_field: darktrace.model_breach_alert.device.last_seen + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.device?.lastSeen != null + on_failure: + - remove: + field: json.device.lastseen + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - gsub: + field: json.device.macaddress + target_field: darktrace.model_breach_alert.device.mac_address + pattern: '[:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: darktrace.model_breach_alert.device.mac_address + ignore_missing: true + - set: + field: host.mac + copy_from: darktrace.model_breach_alert.device.mac_address + ignore_failure: true + - convert: + field: json.device.sid + target_field: darktrace.model_breach_alert.device.sid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.tid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.tid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.thid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.thid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.expiry + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.expiry + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.restricted + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.restricted + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.isReferenced + target_field: _ingest._value.is_referenced + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.isReferenced + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.data.auto + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.data.auto + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.data.color + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.color + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value.isReferenced + ignore_missing: true + - rename: + field: json.device.tags + target_field: darktrace.model_breach_alert.device.tags + ignore_missing: true + - rename: + field: json.device.typelabel + target_field: darktrace.model_breach_alert.device.type_label + ignore_missing: true + - rename: + field: json.device.typename + target_field: darktrace.model_breach_alert.device.type_name + ignore_missing: true + - set: + field: host.type + copy_from: darktrace.model_breach_alert.device.type_name + ignore_failure: true + - rename: + field: json.device.vendor + target_field: darktrace.model_breach_alert.device.vendor + ignore_missing: true + - convert: + field: json.acknowledged + target_field: darktrace.model_breach_alert.is_acknowledged + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.mitreTechniques + if: ctx.json?.mitreTechniques instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.techniqueID + target_field: _ingest._value.id + ignore_missing: true + - foreach: + field: json.mitreTechniques + if: ctx.json?.mitreTechniques instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.technique + target_field: _ingest._value.name + ignore_missing: true + - rename: + field: json.mitreTechniques + target_field: darktrace.model_breach_alert.mitre_techniques + ignore_missing: true + - foreach: + field: darktrace.model_breach_alert.mitre_techniques + if: ctx.darktrace?.model_breach_alert?.mitre_techniques instanceof List + ignore_failure: true + processor: + append: + field: threat.technique.id + value: '{{{_ingest._value.id}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: darktrace.model_breach_alert.mitre_techniques + if: ctx.darktrace?.model_breach_alert?.mitre_techniques instanceof List + ignore_failure: true + processor: + append: + field: threat.technique.name + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.model.actions.antigena.action + target_field: darktrace.model_breach_alert.model.actions.antigena.action + ignore_missing: true + - set: + field: event.action + copy_from: darktrace.model_breach_alert.model.actions.antigena.action + ignore_failure: true + - convert: + field: json.model.actions.antigena.duration + target_field: darktrace.model_breach_alert.model.actions.antigena.duration + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.antigena.confirm + target_field: darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.antigena.threshold + target_field: darktrace.model_breach_alert.model.actions.antigena.threshold + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.alert + target_field: darktrace.model_breach_alert.model.actions.is_alerting + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.breach + target_field: darktrace.model_breach_alert.model.actions.is_breach + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.setPriority + target_field: darktrace.model_breach_alert.model.actions.is_priority_set + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.setTag + target_field: darktrace.model_breach_alert.model.actions.is_tag_set + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.setType + target_field: darktrace.model_breach_alert.model.actions.is_type_set + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.model + target_field: darktrace.model_breach_alert.model.actions.model + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.activeTimes.version + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.activeTimes.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.activeTimes + target_field: darktrace.model_breach_alert.model.active_times + ignore_missing: true + - rename: + field: json.model.behaviour + target_field: darktrace.model_breach_alert.model.behaviour + ignore_missing: true + - rename: + field: json.model.category + target_field: darktrace.model_breach_alert.model.category + ignore_missing: true + - set: + field: rule.category + copy_from: darktrace.model_breach_alert.model.category + ignore_failure: true + - rename: + field: json.model.created.by + target_field: darktrace.model_breach_alert.model.created.by + ignore_missing: true + - append: + field: related.user + value: '{{{darktrace.model_breach_alert.model.created.by}}}' + allow_duplicates: false + ignore_failure: true + - set: + field: rule.author + copy_from: darktrace.model_breach_alert.model.created.by + ignore_failure: true + - foreach: + field: json.model.defeats + if: ctx.json?.model?.defeats instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.defeatID + target_field: _ingest._value.id + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.defeatID + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.model.defeats + if: ctx.json?.model?.defeats instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value.defeatID + ignore_missing: true + - rename: + field: json.model.defeats + target_field: darktrace.model_breach_alert.model.defeats + ignore_missing: true + - convert: + field: json.model.delay + target_field: darktrace.model_breach_alert.model.delay + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.description + target_field: darktrace.model_breach_alert.model.description + ignore_missing: true + - set: + field: rule.description + copy_from: darktrace.model_breach_alert.model.description + ignore_failure: true + - rename: + field: json.model.edited.by + target_field: darktrace.model_breach_alert.model.edited.by + ignore_missing: true + - append: + field: related.user + value: '{{{darktrace.model_breach_alert.model.edited.by}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.model.compliance + target_field: darktrace.model_breach_alert.model.in_compliance_behavior_category + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.interval + target_field: darktrace.model_breach_alert.model.interval + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.active + target_field: darktrace.model_breach_alert.model.is_active + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.autoSuppress + target_field: darktrace.model_breach_alert.model.is_auto_suppress + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.autoUpdatable + target_field: darktrace.model_breach_alert.model.is_auto_updatable + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.autoUpdate + target_field: darktrace.model_breach_alert.model.is_auto_update + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.sequenced + target_field: darktrace.model_breach_alert.model.is_sequenced + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.sharedEndpoints + target_field: darktrace.model_breach_alert.model.is_shared_endpoints + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Dynamically map model.logic.data array using model.logic.type field. + if: ctx.json?.model?.logic?.data instanceof List + lang: painless + ignore_failure: true + params: + componentList: data_component_list + weightedComponentList: data_weighted_component_list + source: + def data = ctx.json.model.logic.data; + if (ctx.json.model.logic?.type != null) { + if (['componentList', 'weightedComponentList'].contains(ctx.json.model.logic?.type)) { + ctx["json"]["model"]["logic"][params.get(ctx.json.model.logic?.type)] = data; + } else { + ctx["json"]["model"]["logic"]["data_" + ctx.json.model.logic?.type] = data; + } + } + ctx.json.model.logic.remove("data"); + - convert: + field: json.model.logic.data_component_list + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.data_component_list + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.data_weighted_component_list.cid + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.data_weighted_component_list.cid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.data_weighted_component_list.weight + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.data_weighted_component_list.weight + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.version + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.targetScore + target_field: json.model.logic.target_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - remove: + field: json.model.logic.targetScore + ignore_missing: true + - rename: + field: json.model.logic + target_field: darktrace.model_breach_alert.model.logic + ignore_missing: true + - date: + field: json.model.modified + target_field: darktrace.model_breach_alert.model.modified + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + - 'yyyy-MM-dd HH:mm:ss' + if: ctx.json?.model?.modified != null + on_failure: + - remove: + field: json.model.modified + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.name + target_field: darktrace.model_breach_alert.model.name + ignore_missing: true + - set: + field: rule.name + copy_from: darktrace.model_breach_alert.model.name + ignore_failure: true + - convert: + field: json.model.phid + target_field: darktrace.model_breach_alert.model.phid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.pid + target_field: darktrace.model_breach_alert.model.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.priority + target_field: darktrace.model_breach_alert.model.priority + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.priority + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.severity + copy_from: darktrace.model_breach_alert.model.priority + ignore_failure: true + - rename: + field: json.model.tags + target_field: darktrace.model_breach_alert.model.tags + ignore_missing: true + - set: + field: rule.ruleset + copy_from: darktrace.model_breach_alert.model.tags + ignore_failure: true + - convert: + field: json.model.throttle + target_field: darktrace.model_breach_alert.model.throttle + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.userID + target_field: darktrace.model_breach_alert.model.userid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.uuid + target_field: darktrace.model_breach_alert.model.uuid + ignore_missing: true + - set: + field: rule.uuid + copy_from: darktrace.model_breach_alert.model.uuid + ignore_failure: true + - convert: + field: json.model.version + target_field: darktrace.model_breach_alert.model.version + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: darktrace.model_breach_alert.model.version + target_field: rule.version + type: string + ignore_missing: true + on_failure: + - remove: + field: darktrace.model_breach_alert.model.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.pbscore + target_field: darktrace.model_breach_alert.pb_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.pbid + target_field: darktrace.model_breach_alert.pbid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.score + target_field: darktrace.model_breach_alert.score + type: double + ignore_missing: true + on_failure: + - remove: + field: json.score + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.risk_score + copy_from: darktrace.model_breach_alert.score + ignore_failure: true + - script: + description: Normalize event.risk_score to event.risk_score_norm + lang: painless + if: ctx.event?.risk_score != null + source: + def normalizedRiskScore = ctx.event.risk_score * 100.0; + ctx.event.risk_score_norm = normalizedRiskScore; + - date: + field: json.time + target_field: darktrace.model_breach_alert.time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.time != null + on_failure: + - remove: + field: json.time + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: darktrace.model_breach_alert.time + ignore_failure: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.cbid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cbid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.chid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.chid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.cid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.interval + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.interval + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Stringify logic.data field of triggeredComponents array. + lang: painless + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + source: + for (component in ctx.json.triggeredComponents) { + component.logic.data = component?.logic?.data.toString(); + } + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.metric.mlid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.metric.mlid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.size + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.threshold + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.threshold + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.time + target_field: _ingest._value.time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.time + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + append: + field: event.start + value: '{{{_ingest._value.time}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.cfid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cfid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + rename: + field: _ingest._value.comparatorType + target_field: _ingest._value.comparator_type + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + rename: + field: _ingest._value.filterType + target_field: _ingest._value.filter_type + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.data.auto + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.data.auto + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.data.color + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.data.color + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.expiry + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.expiry + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.isReferenced + target_field: _ingest._value.trigger.tag.is_referenced + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.isReferenced + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.restricted + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.restricted + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.thid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.thid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.tid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.tid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + remove: + field: _ingest._value.trigger.tag.isReferenced + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.triggeredFilters + target_field: _ingest._value.triggered_filters + ignore_missing: true + - rename: + field: json.triggeredComponents + target_field: darktrace.model_breach_alert.triggered_components + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - darktrace.model_breach_alert.time + - darktrace.model_breach_alert.model.actions.antigena.action + - darktrace.model_breach_alert.creation_time + - darktrace.model_breach_alert.score + - darktrace.model_breach_alert.model.priority + - darktrace.model_breach_alert.device.did + - darktrace.model_breach_alert.device.mac_address + - darktrace.model_breach_alert.device.type_name + - darktrace.model_breach_alert.model.created.by + - darktrace.model_breach_alert.model.category + - darktrace.model_breach_alert.model.description + - darktrace.model_breach_alert.model.name + - darktrace.model_breach_alert.model.tags + - darktrace.model_breach_alert.model.uuid + - darktrace.model_breach_alert.model.version + - darktrace.model_breach_alert.mitre_techniques + ignore_failure: true + ignore_missing: true + - foreach: + field: darktrace.model_breach_alert.triggered_components + if: ctx.darktrace?.model_breach_alert?.triggered_components instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.time + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/agent.yml b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/agent.yml new file mode 100755 index 0000000000..2ad539b9eb --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/agent.yml @@ -0,0 +1,165 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: '18D109' + description: > + OS build information. + + - name: os.codename + type: keyword + example: 'stretch' + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/base-fields.yml b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/base-fields.yml new file mode 100755 index 0000000000..7dd51b599c --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: darktrace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: darktrace.model_breach_alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/ecs.yml b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/ecs.yml new file mode 100755 index 0000000000..84d84df374 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/ecs.yml @@ -0,0 +1,177 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + name: host.type + type: keyword +- description: The device or application that originated the Syslog message, if available. + name: log.syslog.appname + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. + name: log.syslog.hostname + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. + name: log.syslog.version + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + name: rule.author + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: The version / revision of the rule being used for analysis. + name: rule.version + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.id + normalize: + - array + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + normalize: + - array + type: keyword diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/fields.yml b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/fields.yml new file mode 100755 index 0000000000..a972362479 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/fields/fields.yml @@ -0,0 +1,428 @@ +- name: darktrace.model_breach_alert + type: group + fields: + - name: aianalyst_data + type: group + fields: + - name: related + type: long + - name: summariser + type: keyword + - name: uuid + type: keyword + - name: breach_url + type: group + description: A link to the specific model breach in the Darktrace Threat Visualizer - the configuration option FQDN must be set for this field to appear. + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: comment + type: group + fields: + - name: count + type: long + description: The number of comments made against this breach. + - name: creation_time + type: date + description: The timestamp that the record of the breach was created. This is distinct from the “time” field. + - name: device_score + type: double + - name: device + type: group + fields: + - name: credentials + type: keyword + - name: did + type: long + description: The “device id”, a unique identifier. + - name: first_seen + type: date + description: The first time the device was seen on the network. + - name: hostname + type: keyword + description: The current device hostname. + - name: ip + type: keyword + description: The current IP associated with the device. + - name: ip6 + type: keyword + description: Current IPv6 address of this device if applicable, otherwise undefined. + - name: ips + type: group + fields: + - name: ip + type: keyword + description: A historic IP associated with the device. + - name: sid + type: long + description: The subnet id for the subnet the IP belongs to. + - name: time + type: date + description: The time the IP was last seen associated with that device in readable format. + - name: timems + type: date + description: The time the IP was last seen associated with that device in epoch time. + - name: last_seen + type: date + description: The last time the device was seen on the network. + - name: mac_address + type: keyword + description: The current MAC address associated with the device. + - name: sid + type: long + description: The subnet id for the subnet the device is currently located in. + - name: tags + type: group + fields: + - name: data + type: group + fields: + - name: auto + type: boolean + - name: color + type: long + - name: description + type: keyword + - name: visibility + type: keyword + - name: expiry + type: long + - name: is_referenced + type: boolean + - name: name + type: keyword + - name: restricted + type: boolean + - name: thid + type: long + - name: tid + type: long + - name: type_label + type: keyword + description: The device type in readable format. + - name: type_name + type: keyword + description: The device type in system format. + - name: vendor + type: keyword + description: The vendor of the device network card as derived by Darktrace from the MAC address. + - name: is_acknowledged + type: boolean + - name: mitre_techniques + type: group + description: Any mapped MITRE ATT&CK techniques the model corresponds to. + fields: + - name: name + type: keyword + - name: id + type: keyword + - name: model + type: group + fields: + - name: actions + type: group + fields: + - name: antigena + type: group + fields: + - name: action + type: keyword + description: The action to be performed. + - name: duration + type: long + description: The duration in seconds that the antigena action should last for. + - name: is_confirm_by_human_operator + type: boolean + description: Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. + - name: threshold + type: long + description: The breach score threshold (out of 100) over which antigena will take an action. + - name: is_alerting + type: boolean + description: If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. + - name: is_breach + type: boolean + description: If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. + - name: is_priority_set + type: boolean + description: If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. + - name: is_tag_set + type: boolean + description: If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. + - name: is_type_set + type: boolean + description: If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. + - name: model + type: boolean + description: If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. + - name: active_times + type: group + fields: + - name: devices + type: flattened + description: The device ids for devices on the list. + - name: tags + type: flattened + description: A system field. + - name: type + type: keyword + description: 'The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist.' + - name: version + type: long + description: A system field. + - name: behaviour + type: keyword + description: The score modulation function as set in the model editor. + - name: category + type: keyword + description: The behavior category of the model that was breached. + - name: created + type: group + fields: + - name: by + type: keyword + description: Username that created the model. + - name: defeats + type: group + fields: + - name: arguments + type: group + fields: + - name: value + type: keyword + description: The value(s) that must match for the defeat to take effect. + - name: comparator + type: keyword + description: The comparator that the value is compared against the create the defeat. + - name: filtertype + type: keyword + description: The filter the defeat is made from. + - name: id + type: long + description: A unique ID for the defeat. + - name: delay + type: long + description: Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. + - name: description + type: keyword + description: The optional description of the model. + - name: edited + type: group + fields: + - name: by + type: keyword + description: Username that last edited the model. + - name: userid + type: long + - name: in_compliance_behavior_category + type: boolean + description: Whether the model is in the compliance behavior category. + - name: interval + type: long + description: Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. + - name: is_active + type: boolean + description: Whether the model is enabled or disabled. + - name: is_auto_suppress + type: boolean + description: Whether the model will automatically be suppressed in the case of over-breaching. + - name: is_auto_updatable + type: boolean + description: Whether the model is suitable for auto update. + - name: is_auto_update + type: boolean + description: Whether the model is enabled for auto update. + - name: is_sequenced + type: boolean + description: Whether the components are required to fire in the specified order for the model breach to occur. + - name: is_shared_endpoints + type: boolean + description: For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. + - name: logic + type: group + fields: + - name: data_component_list + type: long + description: This will be a list of component ID numbers. + - name: data_weighted_component_list + type: group + description: This model is a weighted type this will be a list of component ID, weight object pairs. + fields: + - name: cid + type: long + - name: weight + type: long + - name: target_score + type: long + - name: type + type: keyword + description: The type of model. + - name: version + type: long + description: A number representing the version of model logic. + - name: modified + type: date + description: Timestamp at which the model was last modified, in a readable format. + - name: name + type: keyword + description: Name of the model that was breached. + - name: phid + type: long + description: The model “policy history” id. Increments when the model is modified. + - name: pid + type: long + description: The “policy id” of the model that was breached. + - name: priority + type: long + description: The model’s priority affects the strength with which it breaches (0-5 scale). + - name: tags + type: keyword + description: A list of tags that have been applied to this model in the Threat Visualizer model editor. + - name: throttle + type: long + description: For an individual device, this is the value in seconds for which this model will not fire again. + - name: uuid + type: keyword + description: A unique ID that is generated on creation of the model. + - name: version + type: long + description: The version of the model. Increments on each edit. + - name: pb_score + type: double + description: The model breach score, represented by a value between 0 and 1. + - name: pbid + type: long + description: The “policy breach ID” of the model breach. + - name: score + type: double + description: The model breach score, represented by a value between 0 and 1. + - name: time + type: date + description: The timestamp when the record was created in epoch time. + - name: triggered_components + type: group + fields: + - name: cbid + type: long + description: The “component breach id”. A unique identifier for the component breach. + - name: chid + type: long + description: The “component history id”. Increments when the component is edited. + - name: cid + type: long + description: The “component id”. A unique identifier. + - name: interval + type: long + description: The timeframe in seconds within which the threshold must be satisfied. + - name: logic + type: group + fields: + - name: data + type: text + description: It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. + - name: version + type: keyword + description: The version of the component logic. + - name: metric + type: group + fields: + - name: label + type: keyword + description: The metric which data is returned for in readable format. + - name: mlid + type: long + description: The “metric logic” id - unique identifier. + - name: name + type: keyword + description: The metric which data is returned for in system format. + - name: size + type: long + description: The size of the value that was compared in the component. + - name: threshold + type: long + description: The threshold value that the size must exceed for the component to breach. + - name: time + type: date + description: A timestamp in Epoch time at which the components were triggered. + - name: triggered_filters + type: group + fields: + - name: arguments + type: group + fields: + - name: value + type: keyword + description: The value the filtertype should be compared against (using the specified comparator) to create the filter. + - name: cfid + type: long + description: The ‘component filter id’. A unique identifier for the filter as part of a the component. + - name: comparator_type + type: keyword + description: The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. + - name: filter_type + type: keyword + description: The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. + - name: id + type: keyword + description: A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. + - name: trigger + type: group + fields: + - name: tag + type: group + fields: + - name: data + type: group + fields: + - name: auto + type: boolean + - name: color + type: long + - name: description + type: keyword + - name: visibility + type: keyword + - name: expiry + type: long + description: nan + - name: isReferenced + type: boolean + description: nan + - name: name + type: keyword + description: nan + - name: restricted + type: boolean + description: nan + - name: thid + type: long + description: nan + - name: tid + type: long + description: nan + - name: value + type: keyword + description: The actual value that triggered the filter. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/manifest.yml b/packages/darktrace/0.1.2/data_stream/model_breach_alert/manifest.yml new file mode 100755 index 0000000000..1f16664378 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/manifest.yml @@ -0,0 +1,179 @@ +title: Collect Model Breach Alert logs from Darktrace +type: logs +streams: + - input: httpjson + title: Model Breach Alert logs + description: Collect Model Breach Alert logs via API. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Model Breach Alert logs from Darktrace. NOTE:- Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Darktrace API. NOTE:- Supported units for this parameter are h/m/s. + default: 1m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-model_breach_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: Model Breach Alert logs + description: Collect Model Breach Alert logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9572 + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-model_breach_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: Model Breach Alert logs + description: Collect Model Breach Alert logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9575 + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-model_breach_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/0.1.2/data_stream/model_breach_alert/sample_event.json b/packages/darktrace/0.1.2/data_stream/model_breach_alert/sample_event.json new file mode 100755 index 0000000000..8766072976 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/model_breach_alert/sample_event.json @@ -0,0 +1,583 @@ +{ + "@timestamp": "2022-07-11T13:04:08.000Z", + "agent": { + "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "model_breach_alert": { + "aianalyst_data": [ + { + "related": [ + 1 + ], + "summariser": "BeaconSummary", + "uuid": "1234abcd-1234-1234-1234-123456abcdef" + } + ], + "comment": { + "count": 0 + }, + "creation_time": "2022-07-11T13:04:19.000Z", + "device": { + "did": 3, + "first_seen": "2022-07-11T12:54:49.000Z", + "ip": "81.2.69.142", + "last_seen": "2022-07-11T13:00:18.000Z", + "sid": 1, + "type_label": "Desktop", + "type_name": "desktop" + }, + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "incdec1", + "category": "Informational", + "created": { + "by": "System" + }, + "delay": 0, + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "edited": { + "by": "System" + }, + "in_compliance_behavior_category": false, + "interval": 10800, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": false, + "is_shared_endpoints": false, + "logic": { + "data_weighted_component_list": [ + { + "cid": 2026, + "weight": 1 + }, + { + "cid": 2024, + "weight": 1 + }, + { + "cid": 2025, + "weight": -100 + } + ], + "target_score": 1, + "type": "weightedComponentList", + "version": 1 + }, + "modified": "2022-07-11T11:47:37.000Z", + "name": "Compromise::Beaconing Activity To External Rare", + "phid": 1072, + "pid": 156, + "priority": 2, + "tags": [ + "AP: C2 Comms" + ], + "throttle": 10800, + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": 23 + }, + "pbid": 1, + "score": 0.674, + "time": "2022-07-11T13:04:08.000Z", + "triggered_components": [ + { + "cbid": 1, + "chid": 2113, + "cid": 2026, + "interval": 3600, + "logic": { + "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "External Connections", + "mlid": 1, + "name": "externalconnections" + }, + "size": 11, + "threshold": 10, + "time": "2022-07-11T13:04:08.000Z", + "triggered_filters": [ + { + "arguments": { + "value": 60 + }, + "cfid": 23426, + "comparator_type": "\u003e", + "filter_type": "Beaconing score", + "id": "A", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23427, + "comparator_type": "\u003e", + "filter_type": "Individual size up", + "id": "AA", + "trigger": { + "value": "4382" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23428, + "comparator_type": "\u003e", + "filter_type": "Rare domain", + "id": "AB", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23430, + "comparator_type": "\u003c", + "filter_type": "Age of destination", + "id": "AD", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23431, + "comparator_type": "\u003c", + "filter_type": "Age of external hostname", + "id": "AE", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23432, + "comparator_type": "does not match regular expression", + "filter_type": "Connection hostname", + "id": "AF", + "trigger": { + "value": "example.com" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23433, + "comparator_type": "does not match regular expression", + "filter_type": "ASN", + "id": "AG", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "5d41402abc4b2a76b9719d911017c592" + }, + "cfid": 23434, + "comparator_type": "does not match", + "filter_type": "JA3 hash", + "id": "AH", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23435, + "comparator_type": "\u003e", + "filter_type": "Rare external IP", + "id": "B", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": "1003" + }, + "cfid": 23436, + "comparator_type": "is not", + "filter_type": "Application protocol", + "id": "C", + "trigger": { + "value": "1004" + } + }, + { + "arguments": { + "value": 53 + }, + "cfid": 23437, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "D", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "out" + }, + "cfid": 23438, + "comparator_type": "is", + "filter_type": "Direction", + "id": "E", + "trigger": { + "value": "out" + } + }, + { + "arguments": { + "value": 137 + }, + "cfid": 23439, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "H", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": 161 + }, + "cfid": 23440, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "I", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "6" + }, + "cfid": 23441, + "comparator_type": "is", + "filter_type": "Protocol", + "id": "J", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23442, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "K", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23443, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "L", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "13" + }, + "cfid": 23444, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "M", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "5" + }, + "cfid": 23445, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "N", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "9" + }, + "cfid": 23446, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "O", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "12" + }, + "cfid": 23447, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "P", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "30" + }, + "cfid": 23448, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "S", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "4" + }, + "cfid": 23449, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "U", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "3" + }, + "cfid": 23450, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "V", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "false" + }, + "cfid": 23451, + "comparator_type": "is", + "filter_type": "Trusted hostname", + "id": "X", + "trigger": { + "value": "false" + } + }, + { + "arguments": { + "value": 26 + }, + "cfid": 23452, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal source", + "id": "Y", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 5, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "No Device Tracking", + "restricted": false, + "thid": 26, + "tid": 26 + }, + "value": "26" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23453, + "comparator_type": "\u003e", + "filter_type": "Individual size down", + "id": "Z", + "trigger": { + "value": "5862" + } + }, + { + "cfid": 23454, + "comparator_type": "display", + "filter_type": "JA3 hash", + "id": "d1", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "cfid": 23455, + "comparator_type": "display", + "filter_type": "ASN", + "id": "d2", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "cfid": 23456, + "comparator_type": "display", + "filter_type": "Destination IP", + "id": "d3", + "trigger": { + "value": "81.2.69.192" + } + }, + { + "cfid": 23457, + "comparator_type": "display", + "filter_type": "Connection hostname", + "id": "d4", + "trigger": { + "value": "example.com" + } + } + ] + } + ] + } + }, + "data_stream": { + "dataset": "darktrace.model_breach_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-07-11T13:04:19.000Z", + "dataset": "darktrace.model_breach_alert", + "ingested": "2022-09-30T11:39:13Z", + "kind": "event", + "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "risk_score": 0.674, + "risk_score_norm": 67.4, + "severity": 2, + "start": [ + "2022-07-11T13:04:08.000Z" + ], + "type": [ + "info", + "connection" + ] + }, + "host": { + "id": "3", + "ip": [ + "81.2.69.142" + ], + "type": "desktop" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.128.5:60206" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "System" + ] + }, + "rule": { + "author": "System", + "category": "Informational", + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "name": "Compromise::Beaconing Activity To External Rare", + "ruleset": [ + "AP: C2 Comms" + ], + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": "23" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace-model_breach_alert" + ] +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/0.1.2/data_stream/system_status_alert/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..b1d260f0f9 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/agent/stream/udp.yml.hbs b/packages/darktrace/0.1.2/data_stream/system_status_alert/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f342c4fa75 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/0.1.2/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..50abd1f616 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,235 @@ +--- +description: Pipeline for processing System Status Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - grok: + field: message + patterns: + - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" + pattern_definitions: + FIELD: "[a-zA-Z]*" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.uuid + - json.last_updated + - json.last_updated_status + - json.message + target_field: _id + ignore_missing: true + - set: + field: event.type + value: [info] + - set: + field: event.kind + value: event + - set: + field: event.kind + value: alert + if: (['active','resolved'].contains(ctx.json?.status?.toLowerCase())) + - date: + field: json.last_updated + target_field: darktrace.system_status_alert.last_updated + formats: + - ISO8601 + - UNIX + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.last_updated != null + on_failure: + - remove: + field: json.last_updated + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: darktrace.system_status_alert.last_updated + ignore_failure: true + - rename: + field: json.uuid + target_field: darktrace.system_status_alert.uuid + ignore_missing: true + - set: + field: event.id + copy_from: darktrace.system_status_alert.uuid + ignore_failure: true + - rename: + field: json.message + target_field: darktrace.system_status_alert.message + ignore_missing: true + - set: + field: event.reason + copy_from: darktrace.system_status_alert.message + ignore_failure: true + - convert: + field: json.priority + target_field: darktrace.system_status_alert.priority + type: double + ignore_missing: true + on_failure: + - remove: + field: json.priority + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.risk_score + copy_from: darktrace.system_status_alert.priority + ignore_failure: true + - set: + field: event.risk_score_norm + copy_from: darktrace.system_status_alert.priority + ignore_failure: true + - uri_parts: + field: json.url + target_field: darktrace.system_status_alert.url + if: ctx.json?.url != null + keep_original: true + on_failure: + - remove: + field: json.url + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.url + copy_from: darktrace.system_status_alert.url.original + ignore_failure: true + - rename: + field: json.hostname + target_field: darktrace.system_status_alert.hostname + ignore_missing: true + - convert: + field: darktrace.system_status_alert.hostname + target_field: darktrace.system_status_alert._temp_.hostname_ip + type: ip + ignore_missing: true + on_failure: + - set: + field: host.hostname + copy_from: darktrace.system_status_alert.hostname + ignore_failure: true + - append: + field: related.ip + value: '{{{darktrace.system_status_alert._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.ip_address + target_field: darktrace.system_status_alert._temp_.ip_address + type: ip + ignore_failure: true + - set: + field: host.ip + copy_from: darktrace.system_status_alert._temp_.ip_address + ignore_failure: true + - append: + field: related.ip + value: '{{{host.ip}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.ip_address + target_field: darktrace.system_status_alert.ip_address + ignore_missing: true + - remove: + field: darktrace.system_status_alert._temp_ + ignore_missing: true + - rename: + field: json.acknowledge_timeout + target_field: darktrace.system_status_alert.acknowledge_timeout + ignore_missing: true + - rename: + field: json.alert_name + target_field: darktrace.system_status_alert.alert_name + ignore_missing: true + - convert: + field: json.child_id + target_field: darktrace.system_status_alert.child_id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.last_updated_status + target_field: darktrace.system_status_alert.last_updated_status + formats: + - ISO8601 + - UNIX + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.last_updated_status != null + on_failure: + - remove: + field: json.last_updated_status + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.name + target_field: darktrace.system_status_alert.name + ignore_missing: true + - rename: + field: json.priority_level + target_field: darktrace.system_status_alert.priority_level + ignore_missing: true + - lowercase: + field: json.status + target_field: darktrace.system_status_alert.status + ignore_failure: true + - remove: + field: json + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - darktrace.system_status_alert.last_updated + - darktrace.system_status_alert.uuid + - darktrace.system_status_alert.message + - darktrace.system_status_alert.priority + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/agent.yml b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/agent.yml new file mode 100755 index 0000000000..feb71b5a75 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/agent.yml @@ -0,0 +1,174 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: '18D109' + description: >- + OS build information. + - name: os.codename + type: keyword + example: 'stretch' + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/base-fields.yml b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/base-fields.yml new file mode 100755 index 0000000000..ba05367fe7 --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: darktrace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: darktrace.system_status_alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/ecs.yml b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/ecs.yml new file mode 100755 index 0000000000..d16f40b89a --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/ecs.yml @@ -0,0 +1,119 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + Reason why this event happened, according to the source. + This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + name: event.reason + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + URL linking to an external system to continue investigation of this event. + This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.url + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: The device or application that originated the Syslog message, if available. + name: log.syslog.appname + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. + name: log.syslog.hostname + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. + name: log.syslog.version + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/fields.yml b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/fields.yml new file mode 100755 index 0000000000..5bd54f4a6b --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/fields/fields.yml @@ -0,0 +1,70 @@ +- name: darktrace.system_status_alert + type: group + fields: + - name: acknowledge_timeout + type: keyword + description: When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. + - name: alert_name + type: keyword + description: A human readable name of the alert type. + - name: child_id + type: long + description: For probes (physical or virtual), the unique ID associated with the probe. + - name: hostname + type: keyword + description: The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. + - name: ip_address + type: keyword + description: The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. + - name: last_updated + type: date + description: A timestamp in epoch time that the system alert itself was updated. + - name: last_updated_status + type: date + description: A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. + - name: message + type: keyword + description: A textual description of the system event that has triggered the alert. + - name: name + type: keyword + description: A system name of the alert type. + - name: priority + type: double + description: The numeric criticality associated with the alert. + - name: priority_level + type: keyword + description: 'The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical.' + - name: status + type: keyword + description: The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. + - name: url + type: group + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: uuid + type: keyword + description: A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/manifest.yml b/packages/darktrace/0.1.2/data_stream/system_status_alert/manifest.yml new file mode 100755 index 0000000000..1f115305dc --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/manifest.yml @@ -0,0 +1,117 @@ +title: Collect System Status Alert logs from Darktrace +type: logs +streams: + - input: tcp + title: System Status Alert logs + description: Collect System Status Alert logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9573 + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-system_status_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: System Status Alert logs + description: Collect System Status Alert logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9576 + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace-system_status_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/0.1.2/data_stream/system_status_alert/sample_event.json b/packages/darktrace/0.1.2/data_stream/system_status_alert/sample_event.json new file mode 100755 index 0000000000..31283fa03a --- /dev/null +++ b/packages/darktrace/0.1.2/data_stream/system_status_alert/sample_event.json @@ -0,0 +1,92 @@ +{ + "@timestamp": "2021-04-18T15:44:11.000Z", + "agent": { + "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "system_status_alert": { + "alert_name": "Advanced Search", + "child_id": 1, + "hostname": "example-vsensor", + "ip_address": "175.16.199.1", + "last_updated": "2021-04-18T15:44:11.000Z", + "last_updated_status": "2021-04-18T15:44:11.000Z", + "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "name": "advanced_search", + "priority": 43, + "priority_level": "medium", + "status": "active", + "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" + } + }, + "data_stream": { + "dataset": "darktrace.system_status_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "darktrace.system_status_alert", + "id": "abcdabcd-1234-1234-1234-3abababcdcd3", + "ingested": "2022-09-30T11:41:35Z", + "kind": "alert", + "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", + "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "risk_score": 43, + "risk_score_norm": 43, + "type": [ + "info" + ] + }, + "host": { + "hostname": "example-vsensor", + "ip": "175.16.199.1" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.128.5:36197" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "hosts": [ + "example-vsensor" + ], + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace-system_status_alert" + ] +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/docs/README.md b/packages/darktrace/0.1.2/docs/README.md new file mode 100755 index 0000000000..e720ef7ac8 --- /dev/null +++ b/packages/darktrace/0.1.2/docs/README.md @@ -0,0 +1,1462 @@ +# Darktrace + +## Overview + +The [Darktrace](https://darktrace.com/) integration allows you to monitor Alert Logs. Darktrace is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. It is powered by Enterprise Immune System technology, which uses machine learning and mathematics to monitor behaviors and detect anomalies in your organization’s network. + +Use the Darktrace integration to collect and parse data from the REST APIs or via Syslog. Then visualise that data in Kibana. + +For example, you could use the data from this integration to know which model is breached and analyse model breaches, and also know about system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. + +## Data streams + +The Darktrace integration collects logs for three types of events: AI Analyst Alert, Model Breach Alert and System Status Alert. + +**AI Analyst Alert** is generated by investigates, analyzes, and reports upon threats seen within your Darktrace environment; as a starting point, it reviews and investigates all Model Breaches that occur on the system. If behavior which would be of interest to a cyber analyst is detected, an event is created. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-aia-json-schema). + +**Model Breach Alert** is generated when a model breach is triggered. A model is used to define a set of conditions which, when met, will alert the system to the occurrence of a particular event or chain of anomalous behavior. Darktrace models are focused on pattern-of-life anomaly detection, potentially malicious behavior, and compliance issues. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-schema). + +**System Status Alert** keep Darktrace operators informed of system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. System Status Alerts include details of the originating host, the severity of the event, and links that may be helpful to investigate or resolve the issue. Notifications are sent for active system events and (optionally) on event resolution. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-system-schema). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Firewall exceptions to allow communication from the Darktrace master instance to the Syslog server. + +This module has been tested against **Darktrace Threat Visualizer v5.2**. + +## Setup + +### To collect data from Darktrace REST APIs, follow the below steps: + +1. Hostname URL will be your ``. (Threat Visualizer Console Hostname) +2. Public and Private Token will be generated by following this [Link](https://customerportal.darktrace.com/product-guides/main/api-tokens). + +**Note:** System Status Alert are not supported by REST API. + +### To collect data from Darktrace via Syslog, follow the below steps: + +The user needs to create a different Syslog Forwarder with different ports for each data stream. + +The process for configuring syslog-format alerts is identical for AI Analyst Alerts, Model Breach Alerts and System Status Alerts. Generic configuration guidance is provided below: + +1. Open the Darktrace Threat Visualizer Dashboard and navigate to the **System Config** page. (**Main menu › Admin**). +2. From the left-side menu, select **Modules**, then navigate to the **Workflow Integrations** section and choose **Syslog**. +3. Select **Syslog JSON** tab and click **New** to set up new Syslog Forwarder. +4. Enter the **IP Address**  and **Port** of the Elastic Agent that is running the integration in the **Server** and **Server Port** field respectively. + +For more details, see [Documentation](https://customerportal.darktrace.com/product-guides/main/json-alerts). + +**Note:** + - It is recommended to turn on **Full Timestamps** toggle in **Show Advanced Options** to get the full timestamp instead of the RFC3164-formatted timestamp. + - It is also recommended to turn off **Reduced Message Size** toggle in **Show Advanced Options** to get more information about alerts. + +### After following generic guidance steps, below are the steps for collecting individual logs for all three data streams. + +#### For AI Analyst Alert, below are the suggested configurations to collect all the events of AI Analyst Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| --------------------------------------- | ----------------------------------- | +| Send AI Analyst Alerts | ON | +| Send AI Analyst Alerts Immediately | ON | +| AI Analyst Behavior Filter | Critical, Suspicious and Compliance | +| Minimum AI Analyst Incident Event Score | 0 | +| Minimum AI Analyst Incident Score | 0 | +| Legacy AI Analyst Alerts | OFF | + +#### For Model Breach Alert, below are the suggested configurations to collect all the events of Model Breach Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| ---------------------------- | -------------------------------------------------- | +| Send Model Breach Alerts | ON | +| Model Breach Behavior Filter | Critical, Suspicious, Compliance and Informational | +| Minimum Breach Score | 0 | +| Minimum Breach Priority | 0 | +| Model Expression | N/A | +| Model Tags Expression | N/A | +| Device IP Addresses | N/A | +| Device Tags Addresses | N/A | + +#### For System Status Alert, below are the suggested configurations to collect all the events of System Status Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| ---------------------------------- | ------------- | +| Send System Status Alerts | ON | +| Send Resolved System Status Alerts | ON | +| Minimum System Status Priority | Informational | + +### See more about [Syslog Filters and Optional Settings](https://customerportal.darktrace.com/product-guides/main/syslog-json-alert-settings) + +**Note** : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts. + - An FQDN can be configured from the **System** subsection on the **Settings** tab of the Darktrace **System Config** page. + +## Logs reference + +### ai_analyst_alert + +This is the `ai_analyst_alert` dataset. + +#### Example + +An example event for `ai_analyst_alert` looks as following: + +```json +{ + "@timestamp": "2021-08-03T14:48:09.240Z", + "agent": { + "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "ai_analyst_alert": { + "activity_id": "abcd1234", + "aia_score": 98, + "attack_phases": [ + 5 + ], + "breach_devices": [ + { + "did": 10, + "ip": "81.2.69.144", + "sid": 12, + "subnet": "VPN" + } + ], + "category": "critical", + "children": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ], + "created_at": "2021-08-03T14:48:09.240Z", + "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", + "details": [ + [ + { + "contents": [ + { + "type": "device", + "values": [ + { + "did": 10, + "ip": "175.16.199.1", + "sid": 12, + "subnet": "VPN" + } + ] + } + ], + "header": "Breaching Device" + } + ], + [ + { + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "end": 1628000141220, + "start": 1627985298683 + } + ] + }, + { + "key": "Number of unique IPs", + "type": "integer", + "values": [ + 16 + ] + }, + { + "key": "Targeted IP ranges include", + "type": "device", + "values": [ + { + "ip": "81.2.69.192" + }, + { + "ip": "175.16.199.1" + }, + { + "ip": "175.16.199.3" + } + ] + }, + { + "key": "Destination port", + "type": "integer", + "values": [ + 22 + ] + }, + { + "key": "Connection count", + "type": "integer", + "values": [ + 40 + ] + }, + { + "key": "Percentage successful", + "type": "percentage", + "values": [ + 100 + ] + } + ], + "header": "SSH Activity" + } + ] + ], + "group_by_activity": false, + "group_category": "critical", + "group_score": 72.9174234, + "grouping_ids": [ + "abcdef12" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "is_acknowledged": false, + "is_external_triggered": false, + "is_pinned": true, + "is_user_triggered": false, + "periods": [ + { + "end": "2021-08-03T14:15:41.220Z", + "start": "2021-08-03T10:08:18.683Z" + } + ], + "related_breaches": [ + { + "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", + "pbid": 1234, + "threat_score": 37, + "timestamp": "2021-08-03T13:25:57.000Z" + } + ], + "summariser": "AdminConnSummary", + "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "title": "Extensive Unusual SSH Connections" + } + }, + "data_stream": { + "dataset": "darktrace.ai_analyst_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "darktrace.ai_analyst_alert", + "duration": [ + 14842537000000 + ], + "end": [ + "2021-08-03T14:15:41.220Z" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "ingested": "2022-09-30T11:36:06Z", + "kind": "alert", + "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", + "reason": "Extensive Unusual SSH Connections", + "risk_score": 98, + "risk_score_norm": 98, + "start": [ + "2021-08-03T10:08:18.683Z" + ], + "type": [ + "info" + ] + }, + "host": { + "id": [ + "10" + ], + "ip": [ + "81.2.69.144" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.128.5:49066" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "related": { + "ip": [ + "81.2.69.144", + "175.16.199.1", + "81.2.69.192", + "175.16.199.3" + ] + }, + "rule": { + "name": [ + "Unusual Activity / Unusual Activity from Re-Activated Device" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace-ai_analyst_alert" + ], + "threat": { + "enrichments": { + "matched": { + "id": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ] + } + }, + "group": { + "id": "eabc1234-1234-1234-1234-cabcdefg0011" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| darktrace.ai_analyst_alert.activity_id | An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. | keyword | +| darktrace.ai_analyst_alert.aia_score | The score of the event as classified by AI Analyst - out of 100. | double | +| darktrace.ai_analyst_alert.attack_phases | Of the six attack phases, which phases are applicable to the activity. | long | +| darktrace.ai_analyst_alert.breach_devices.did | The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. | long | +| darktrace.ai_analyst_alert.breach_devices.hostname | The hostname associated with the device, if available. | keyword | +| darktrace.ai_analyst_alert.breach_devices.identifier | An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. | keyword | +| darktrace.ai_analyst_alert.breach_devices.ip | The IP associated with the device. | keyword | +| darktrace.ai_analyst_alert.breach_devices.mac_address | The MAC address associated with the device. | keyword | +| darktrace.ai_analyst_alert.breach_devices.sid | The subnet id for the subnet the device is currently located in. | long | +| darktrace.ai_analyst_alert.breach_devices.subnet | The subnet label for the corresponding subnet, if available. | keyword | +| darktrace.ai_analyst_alert.category | The behavior category associated with the incident event. | keyword | +| darktrace.ai_analyst_alert.children | One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. | keyword | +| darktrace.ai_analyst_alert.created_at | Timestamp for event creation in epoch time. | date | +| darktrace.ai_analyst_alert.current_group | The UUID of the current incident this event belongs to. | keyword | +| darktrace.ai_analyst_alert.details | An array of multiple sections (sub-arrays) of event information. | flattened | +| darktrace.ai_analyst_alert.group_by_activity | Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). | boolean | +| darktrace.ai_analyst_alert.group_category | The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. | keyword | +| darktrace.ai_analyst_alert.group_previous_groups | If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. | keyword | +| darktrace.ai_analyst_alert.group_score | The current overall score of the incident this event is part of. | double | +| darktrace.ai_analyst_alert.grouping_ids | Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. | keyword | +| darktrace.ai_analyst_alert.id | A system field. | keyword | +| darktrace.ai_analyst_alert.incident_event_url.domain | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.extension | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.fragment | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.full | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.original | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.password | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.path | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.port | | long | +| darktrace.ai_analyst_alert.incident_event_url.query | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.scheme | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.username | | keyword | +| darktrace.ai_analyst_alert.is_acknowledged | Whether the event has been acknowledged. | boolean | +| darktrace.ai_analyst_alert.is_external_triggered | Whether the event was created as a result of an externally triggered AI Analyst investigation. | boolean | +| darktrace.ai_analyst_alert.is_pinned | Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. | boolean | +| darktrace.ai_analyst_alert.is_user_triggered | Whether the event was created as a result of a user-triggered AI Analyst investigation. | boolean | +| darktrace.ai_analyst_alert.periods.end | A timestamp for the end of the activity period in epoch time. | date | +| darktrace.ai_analyst_alert.periods.start | A timestamp for the start of the activity period in epoch time. | date | +| darktrace.ai_analyst_alert.related_breaches.model_name | The name of the model that breached. | keyword | +| darktrace.ai_analyst_alert.related_breaches.pbid | The policy breach ID unique identifier of the model breach. | long | +| darktrace.ai_analyst_alert.related_breaches.threat_score | The breach score of the associated model breach - out of 100. | long | +| darktrace.ai_analyst_alert.related_breaches.timestamp | The timestamp at which the model breach occurred in epoch time. | date | +| darktrace.ai_analyst_alert.summariser | A system field. | keyword | +| darktrace.ai_analyst_alert.summary | A textual summary of the suspicious activity. This example is abbreviated. | keyword | +| darktrace.ai_analyst_alert.title | A title describing the activity that occurred. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| rule.name | The name of the rule or signature generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.enrichments.matched.id | Identifies the _id of the indicator document enriching the event. | keyword | +| threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword | + + +### model_breach_alert + +This is the `model_breach_alert` dataset. + +#### Example + +An example event for `model_breach_alert` looks as following: + +```json +{ + "@timestamp": "2022-07-11T13:04:08.000Z", + "agent": { + "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "model_breach_alert": { + "aianalyst_data": [ + { + "related": [ + 1 + ], + "summariser": "BeaconSummary", + "uuid": "1234abcd-1234-1234-1234-123456abcdef" + } + ], + "comment": { + "count": 0 + }, + "creation_time": "2022-07-11T13:04:19.000Z", + "device": { + "did": 3, + "first_seen": "2022-07-11T12:54:49.000Z", + "ip": "81.2.69.142", + "last_seen": "2022-07-11T13:00:18.000Z", + "sid": 1, + "type_label": "Desktop", + "type_name": "desktop" + }, + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "incdec1", + "category": "Informational", + "created": { + "by": "System" + }, + "delay": 0, + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "edited": { + "by": "System" + }, + "in_compliance_behavior_category": false, + "interval": 10800, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": false, + "is_shared_endpoints": false, + "logic": { + "data_weighted_component_list": [ + { + "cid": 2026, + "weight": 1 + }, + { + "cid": 2024, + "weight": 1 + }, + { + "cid": 2025, + "weight": -100 + } + ], + "target_score": 1, + "type": "weightedComponentList", + "version": 1 + }, + "modified": "2022-07-11T11:47:37.000Z", + "name": "Compromise::Beaconing Activity To External Rare", + "phid": 1072, + "pid": 156, + "priority": 2, + "tags": [ + "AP: C2 Comms" + ], + "throttle": 10800, + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": 23 + }, + "pbid": 1, + "score": 0.674, + "time": "2022-07-11T13:04:08.000Z", + "triggered_components": [ + { + "cbid": 1, + "chid": 2113, + "cid": 2026, + "interval": 3600, + "logic": { + "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "External Connections", + "mlid": 1, + "name": "externalconnections" + }, + "size": 11, + "threshold": 10, + "time": "2022-07-11T13:04:08.000Z", + "triggered_filters": [ + { + "arguments": { + "value": 60 + }, + "cfid": 23426, + "comparator_type": "\u003e", + "filter_type": "Beaconing score", + "id": "A", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23427, + "comparator_type": "\u003e", + "filter_type": "Individual size up", + "id": "AA", + "trigger": { + "value": "4382" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23428, + "comparator_type": "\u003e", + "filter_type": "Rare domain", + "id": "AB", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23430, + "comparator_type": "\u003c", + "filter_type": "Age of destination", + "id": "AD", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23431, + "comparator_type": "\u003c", + "filter_type": "Age of external hostname", + "id": "AE", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23432, + "comparator_type": "does not match regular expression", + "filter_type": "Connection hostname", + "id": "AF", + "trigger": { + "value": "example.com" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23433, + "comparator_type": "does not match regular expression", + "filter_type": "ASN", + "id": "AG", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "5d41402abc4b2a76b9719d911017c592" + }, + "cfid": 23434, + "comparator_type": "does not match", + "filter_type": "JA3 hash", + "id": "AH", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23435, + "comparator_type": "\u003e", + "filter_type": "Rare external IP", + "id": "B", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": "1003" + }, + "cfid": 23436, + "comparator_type": "is not", + "filter_type": "Application protocol", + "id": "C", + "trigger": { + "value": "1004" + } + }, + { + "arguments": { + "value": 53 + }, + "cfid": 23437, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "D", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "out" + }, + "cfid": 23438, + "comparator_type": "is", + "filter_type": "Direction", + "id": "E", + "trigger": { + "value": "out" + } + }, + { + "arguments": { + "value": 137 + }, + "cfid": 23439, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "H", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": 161 + }, + "cfid": 23440, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "I", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "6" + }, + "cfid": 23441, + "comparator_type": "is", + "filter_type": "Protocol", + "id": "J", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23442, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "K", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23443, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "L", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "13" + }, + "cfid": 23444, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "M", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "5" + }, + "cfid": 23445, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "N", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "9" + }, + "cfid": 23446, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "O", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "12" + }, + "cfid": 23447, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "P", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "30" + }, + "cfid": 23448, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "S", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "4" + }, + "cfid": 23449, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "U", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "3" + }, + "cfid": 23450, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "V", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "false" + }, + "cfid": 23451, + "comparator_type": "is", + "filter_type": "Trusted hostname", + "id": "X", + "trigger": { + "value": "false" + } + }, + { + "arguments": { + "value": 26 + }, + "cfid": 23452, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal source", + "id": "Y", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 5, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "No Device Tracking", + "restricted": false, + "thid": 26, + "tid": 26 + }, + "value": "26" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23453, + "comparator_type": "\u003e", + "filter_type": "Individual size down", + "id": "Z", + "trigger": { + "value": "5862" + } + }, + { + "cfid": 23454, + "comparator_type": "display", + "filter_type": "JA3 hash", + "id": "d1", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "cfid": 23455, + "comparator_type": "display", + "filter_type": "ASN", + "id": "d2", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "cfid": 23456, + "comparator_type": "display", + "filter_type": "Destination IP", + "id": "d3", + "trigger": { + "value": "81.2.69.192" + } + }, + { + "cfid": 23457, + "comparator_type": "display", + "filter_type": "Connection hostname", + "id": "d4", + "trigger": { + "value": "example.com" + } + } + ] + } + ] + } + }, + "data_stream": { + "dataset": "darktrace.model_breach_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-07-11T13:04:19.000Z", + "dataset": "darktrace.model_breach_alert", + "ingested": "2022-09-30T11:39:13Z", + "kind": "event", + "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "risk_score": 0.674, + "risk_score_norm": 67.4, + "severity": 2, + "start": [ + "2022-07-11T13:04:08.000Z" + ], + "type": [ + "info", + "connection" + ] + }, + "host": { + "id": "3", + "ip": [ + "81.2.69.142" + ], + "type": "desktop" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.128.5:60206" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "System" + ] + }, + "rule": { + "author": "System", + "category": "Informational", + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "name": "Compromise::Beaconing Activity To External Rare", + "ruleset": [ + "AP: C2 Comms" + ], + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": "23" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace-model_breach_alert" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| darktrace.model_breach_alert.aianalyst_data.related | | long | +| darktrace.model_breach_alert.aianalyst_data.summariser | | keyword | +| darktrace.model_breach_alert.aianalyst_data.uuid | | keyword | +| darktrace.model_breach_alert.breach_url.domain | | keyword | +| darktrace.model_breach_alert.breach_url.extension | | keyword | +| darktrace.model_breach_alert.breach_url.fragment | | keyword | +| darktrace.model_breach_alert.breach_url.full | | keyword | +| darktrace.model_breach_alert.breach_url.original | | keyword | +| darktrace.model_breach_alert.breach_url.password | | keyword | +| darktrace.model_breach_alert.breach_url.path | | keyword | +| darktrace.model_breach_alert.breach_url.port | | long | +| darktrace.model_breach_alert.breach_url.query | | keyword | +| darktrace.model_breach_alert.breach_url.scheme | | keyword | +| darktrace.model_breach_alert.breach_url.username | | keyword | +| darktrace.model_breach_alert.comment.count | The number of comments made against this breach. | long | +| darktrace.model_breach_alert.creation_time | The timestamp that the record of the breach was created. This is distinct from the “time” field. | date | +| darktrace.model_breach_alert.device.credentials | | keyword | +| darktrace.model_breach_alert.device.did | The “device id”, a unique identifier. | long | +| darktrace.model_breach_alert.device.first_seen | The first time the device was seen on the network. | date | +| darktrace.model_breach_alert.device.hostname | The current device hostname. | keyword | +| darktrace.model_breach_alert.device.ip | The current IP associated with the device. | keyword | +| darktrace.model_breach_alert.device.ip6 | Current IPv6 address of this device if applicable, otherwise undefined. | keyword | +| darktrace.model_breach_alert.device.ips.ip | A historic IP associated with the device. | keyword | +| darktrace.model_breach_alert.device.ips.sid | The subnet id for the subnet the IP belongs to. | long | +| darktrace.model_breach_alert.device.ips.time | The time the IP was last seen associated with that device in readable format. | date | +| darktrace.model_breach_alert.device.ips.timems | The time the IP was last seen associated with that device in epoch time. | date | +| darktrace.model_breach_alert.device.last_seen | The last time the device was seen on the network. | date | +| darktrace.model_breach_alert.device.mac_address | The current MAC address associated with the device. | keyword | +| darktrace.model_breach_alert.device.sid | The subnet id for the subnet the device is currently located in. | long | +| darktrace.model_breach_alert.device.tags.data.auto | | boolean | +| darktrace.model_breach_alert.device.tags.data.color | | long | +| darktrace.model_breach_alert.device.tags.data.description | | keyword | +| darktrace.model_breach_alert.device.tags.data.visibility | | keyword | +| darktrace.model_breach_alert.device.tags.expiry | | long | +| darktrace.model_breach_alert.device.tags.is_referenced | | boolean | +| darktrace.model_breach_alert.device.tags.name | | keyword | +| darktrace.model_breach_alert.device.tags.restricted | | boolean | +| darktrace.model_breach_alert.device.tags.thid | | long | +| darktrace.model_breach_alert.device.tags.tid | | long | +| darktrace.model_breach_alert.device.type_label | The device type in readable format. | keyword | +| darktrace.model_breach_alert.device.type_name | The device type in system format. | keyword | +| darktrace.model_breach_alert.device.vendor | The vendor of the device network card as derived by Darktrace from the MAC address. | keyword | +| darktrace.model_breach_alert.device_score | | double | +| darktrace.model_breach_alert.is_acknowledged | | boolean | +| darktrace.model_breach_alert.mitre_techniques.id | | keyword | +| darktrace.model_breach_alert.mitre_techniques.name | | keyword | +| darktrace.model_breach_alert.model.actions.antigena.action | The action to be performed. | keyword | +| darktrace.model_breach_alert.model.actions.antigena.duration | The duration in seconds that the antigena action should last for. | long | +| darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator | Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. | boolean | +| darktrace.model_breach_alert.model.actions.antigena.threshold | The breach score threshold (out of 100) over which antigena will take an action. | long | +| darktrace.model_breach_alert.model.actions.is_alerting | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean | +| darktrace.model_breach_alert.model.actions.is_breach | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean | +| darktrace.model_breach_alert.model.actions.is_priority_set | If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. | boolean | +| darktrace.model_breach_alert.model.actions.is_tag_set | If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. | boolean | +| darktrace.model_breach_alert.model.actions.is_type_set | If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. | boolean | +| darktrace.model_breach_alert.model.actions.model | If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. | boolean | +| darktrace.model_breach_alert.model.active_times.devices | The device ids for devices on the list. | flattened | +| darktrace.model_breach_alert.model.active_times.tags | A system field. | flattened | +| darktrace.model_breach_alert.model.active_times.type | The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist. | keyword | +| darktrace.model_breach_alert.model.active_times.version | A system field. | long | +| darktrace.model_breach_alert.model.behaviour | The score modulation function as set in the model editor. | keyword | +| darktrace.model_breach_alert.model.category | The behavior category of the model that was breached. | keyword | +| darktrace.model_breach_alert.model.created.by | Username that created the model. | keyword | +| darktrace.model_breach_alert.model.defeats.arguments.value | The value(s) that must match for the defeat to take effect. | keyword | +| darktrace.model_breach_alert.model.defeats.comparator | The comparator that the value is compared against the create the defeat. | keyword | +| darktrace.model_breach_alert.model.defeats.filtertype | The filter the defeat is made from. | keyword | +| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. | long | +| darktrace.model_breach_alert.model.delay | Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. | long | +| darktrace.model_breach_alert.model.description | The optional description of the model. | keyword | +| darktrace.model_breach_alert.model.edited.by | Username that last edited the model. | keyword | +| darktrace.model_breach_alert.model.edited.userid | | long | +| darktrace.model_breach_alert.model.in_compliance_behavior_category | Whether the model is in the compliance behavior category. | boolean | +| darktrace.model_breach_alert.model.interval | Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. | long | +| darktrace.model_breach_alert.model.is_active | Whether the model is enabled or disabled. | boolean | +| darktrace.model_breach_alert.model.is_auto_suppress | Whether the model will automatically be suppressed in the case of over-breaching. | boolean | +| darktrace.model_breach_alert.model.is_auto_updatable | Whether the model is suitable for auto update. | boolean | +| darktrace.model_breach_alert.model.is_auto_update | Whether the model is enabled for auto update. | boolean | +| darktrace.model_breach_alert.model.is_sequenced | Whether the components are required to fire in the specified order for the model breach to occur. | boolean | +| darktrace.model_breach_alert.model.is_shared_endpoints | For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. | boolean | +| darktrace.model_breach_alert.model.logic.data_component_list | This will be a list of component ID numbers. | long | +| darktrace.model_breach_alert.model.logic.data_weighted_component_list.cid | | long | +| darktrace.model_breach_alert.model.logic.data_weighted_component_list.weight | | long | +| darktrace.model_breach_alert.model.logic.target_score | | long | +| darktrace.model_breach_alert.model.logic.type | The type of model. | keyword | +| darktrace.model_breach_alert.model.logic.version | A number representing the version of model logic. | long | +| darktrace.model_breach_alert.model.modified | Timestamp at which the model was last modified, in a readable format. | date | +| darktrace.model_breach_alert.model.name | Name of the model that was breached. | keyword | +| darktrace.model_breach_alert.model.phid | The model “policy history” id. Increments when the model is modified. | long | +| darktrace.model_breach_alert.model.pid | The “policy id” of the model that was breached. | long | +| darktrace.model_breach_alert.model.priority | The model’s priority affects the strength with which it breaches (0-5 scale). | long | +| darktrace.model_breach_alert.model.tags | A list of tags that have been applied to this model in the Threat Visualizer model editor. | keyword | +| darktrace.model_breach_alert.model.throttle | For an individual device, this is the value in seconds for which this model will not fire again. | long | +| darktrace.model_breach_alert.model.uuid | A unique ID that is generated on creation of the model. | keyword | +| darktrace.model_breach_alert.model.version | The version of the model. Increments on each edit. | long | +| darktrace.model_breach_alert.pb_score | The model breach score, represented by a value between 0 and 1. | double | +| darktrace.model_breach_alert.pbid | The “policy breach ID” of the model breach. | long | +| darktrace.model_breach_alert.score | The model breach score, represented by a value between 0 and 1. | double | +| darktrace.model_breach_alert.time | The timestamp when the record was created in epoch time. | date | +| darktrace.model_breach_alert.triggered_components.cbid | The “component breach id”. A unique identifier for the component breach. | long | +| darktrace.model_breach_alert.triggered_components.chid | The “component history id”. Increments when the component is edited. | long | +| darktrace.model_breach_alert.triggered_components.cid | The “component id”. A unique identifier. | long | +| darktrace.model_breach_alert.triggered_components.interval | The timeframe in seconds within which the threshold must be satisfied. | long | +| darktrace.model_breach_alert.triggered_components.logic.data | It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. | text | +| darktrace.model_breach_alert.triggered_components.logic.version | The version of the component logic. | keyword | +| darktrace.model_breach_alert.triggered_components.metric.label | The metric which data is returned for in readable format. | keyword | +| darktrace.model_breach_alert.triggered_components.metric.mlid | The “metric logic” id - unique identifier. | long | +| darktrace.model_breach_alert.triggered_components.metric.name | The metric which data is returned for in system format. | keyword | +| darktrace.model_breach_alert.triggered_components.size | The size of the value that was compared in the component. | long | +| darktrace.model_breach_alert.triggered_components.threshold | The threshold value that the size must exceed for the component to breach. | long | +| darktrace.model_breach_alert.triggered_components.time | A timestamp in Epoch time at which the components were triggered. | date | +| darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value | The value the filtertype should be compared against (using the specified comparator) to create the filter. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.cfid | The ‘component filter id’. A unique identifier for the filter as part of a the component. | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.comparator_type | The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.filter_type | The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.id | A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.auto | | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.color | | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.description | | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.visibility | | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.expiry | nan | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.isReferenced | nan | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.name | nan | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.restricted | nan | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.thid | nan | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.tid | nan | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.value | The actual value that triggered the filter. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | + + +### system_status_alert + +This is the `system_status_alert` dataset. + +#### Example + +An example event for `system_status_alert` looks as following: + +```json +{ + "@timestamp": "2021-04-18T15:44:11.000Z", + "agent": { + "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "system_status_alert": { + "alert_name": "Advanced Search", + "child_id": 1, + "hostname": "example-vsensor", + "ip_address": "175.16.199.1", + "last_updated": "2021-04-18T15:44:11.000Z", + "last_updated_status": "2021-04-18T15:44:11.000Z", + "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "name": "advanced_search", + "priority": 43, + "priority_level": "medium", + "status": "active", + "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" + } + }, + "data_stream": { + "dataset": "darktrace.system_status_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "darktrace.system_status_alert", + "id": "abcdabcd-1234-1234-1234-3abababcdcd3", + "ingested": "2022-09-30T11:41:35Z", + "kind": "alert", + "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", + "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "risk_score": 43, + "risk_score_norm": 43, + "type": [ + "info" + ] + }, + "host": { + "hostname": "example-vsensor", + "ip": "175.16.199.1" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.128.5:36197" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "hosts": [ + "example-vsensor" + ], + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace-system_status_alert" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| darktrace.system_status_alert.acknowledge_timeout | When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. | keyword | +| darktrace.system_status_alert.alert_name | A human readable name of the alert type. | keyword | +| darktrace.system_status_alert.child_id | For probes (physical or virtual), the unique ID associated with the probe. | long | +| darktrace.system_status_alert.hostname | The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. | keyword | +| darktrace.system_status_alert.ip_address | The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. | keyword | +| darktrace.system_status_alert.last_updated | A timestamp in epoch time that the system alert itself was updated. | date | +| darktrace.system_status_alert.last_updated_status | A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. | date | +| darktrace.system_status_alert.message | A textual description of the system event that has triggered the alert. | keyword | +| darktrace.system_status_alert.name | A system name of the alert type. | keyword | +| darktrace.system_status_alert.priority | The numeric criticality associated with the alert. | double | +| darktrace.system_status_alert.priority_level | The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical. | keyword | +| darktrace.system_status_alert.status | The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. | keyword | +| darktrace.system_status_alert.url.domain | | keyword | +| darktrace.system_status_alert.url.extension | | keyword | +| darktrace.system_status_alert.url.fragment | | keyword | +| darktrace.system_status_alert.url.full | | keyword | +| darktrace.system_status_alert.url.original | | keyword | +| darktrace.system_status_alert.url.password | | keyword | +| darktrace.system_status_alert.url.path | | keyword | +| darktrace.system_status_alert.url.port | | long | +| darktrace.system_status_alert.url.query | | keyword | +| darktrace.system_status_alert.url.scheme | | keyword | +| darktrace.system_status_alert.url.username | | keyword | +| darktrace.system_status_alert.uuid | A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/darktrace/0.1.2/img/darktrace-logo.svg b/packages/darktrace/0.1.2/img/darktrace-logo.svg new file mode 100755 index 0000000000..dd926f6292 --- /dev/null +++ b/packages/darktrace/0.1.2/img/darktrace-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/darktrace/0.1.2/img/darktrace-screenshot.png b/packages/darktrace/0.1.2/img/darktrace-screenshot.png new file mode 100755 index 0000000000..c78dc5bd31 Binary files /dev/null and b/packages/darktrace/0.1.2/img/darktrace-screenshot.png differ diff --git a/packages/darktrace/0.1.2/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.2/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json new file mode 100755 index 0000000000..3393705a4b --- /dev/null +++ b/packages/darktrace/0.1.2/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "Darktrace System Status Alerts Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1b85280d-b235-4523-b782-fd77e9046901\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"3702c81f-57cb-4f31-bb86-97827dab7021\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1b85280d-b235-4523-b782-fd77e9046901\":{\"columnOrder\":[\"426426da-2361-40d0-a759-2591bdf082c9\"],\"columns\":{\"426426da-2361-40d0-a759-2591bdf082c9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"3702c81f-57cb-4f31-bb86-97827dab7021\",\"key\":\"darktrace.system_status_alert.status\",\"negate\":false,\"params\":{\"query\":\"active\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.system_status_alert.status\":\"active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"accessor\":\"426426da-2361-40d0-a759-2591bdf082c9\",\"layerId\":\"1b85280d-b235-4523-b782-fd77e9046901\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"5f64c3c5-4d59-4abb-a6ab-234a1ee66151\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"5f64c3c5-4d59-4abb-a6ab-234a1ee66151\",\"title\":\"Number of Active Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f27d6430-9a24-4f7b-86b0-43950b6f2393\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f27d6430-9a24-4f7b-86b0-43950b6f2393\":{\"columnOrder\":[\"ecdeb1b2-48c5-4966-bca9-0f228a2916f3\",\"11c181af-dff4-4a0a-ad2e-0846bd66affe\"],\"columns\":{\"11c181af-dff4-4a0a-ad2e-0846bd66affe\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"ecdeb1b2-48c5-4966-bca9-0f228a2916f3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Priority Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"11c181af-dff4-4a0a-ad2e-0846bd66affe\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.system_status_alert.priority_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ecdeb1b2-48c5-4966-bca9-0f228a2916f3\"],\"layerId\":\"f27d6430-9a24-4f7b-86b0-43950b6f2393\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"11c181af-dff4-4a0a-ad2e-0846bd66affe\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e7b10ecb-271a-4010-9947-9597225acd58\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"e7b10ecb-271a-4010-9947-9597225acd58\",\"title\":\"Distribution of System Status Alerts by Priority Level [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b1042ac5-75bd-48e1-9c8c-4ab507402159\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b1042ac5-75bd-48e1-9c8c-4ab507402159\":{\"columnOrder\":[\"7deb2674-d025-43e9-b627-7c8e4a3d3ba6\",\"72135a2c-712d-421e-8e29-8a5c82f557be\"],\"columns\":{\"72135a2c-712d-421e-8e29-8a5c82f557be\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"7deb2674-d025-43e9-b627-7c8e4a3d3ba6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Hostname\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"72135a2c-712d-421e-8e29-8a5c82f557be\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7deb2674-d025-43e9-b627-7c8e4a3d3ba6\",\"isTransposed\":false},{\"columnId\":\"72135a2c-712d-421e-8e29-8a5c82f557be\",\"isTransposed\":false}],\"layerId\":\"b1042ac5-75bd-48e1-9c8c-4ab507402159\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"77e3df19-769a-414a-b96b-dbb37169629d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"77e3df19-769a-414a-b96b-dbb37169629d\",\"title\":\"Top 10 Hostname with Highest System Status Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-607d2de2-df5d-4503-90e0-4ac42323c46e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"607d2de2-df5d-4503-90e0-4ac42323c46e\":{\"columnOrder\":[\"dafa285e-d83f-4d93-af67-4b6b7a7437f3\",\"4ba339dd-9edb-445a-a121-43092d3b33a5\"],\"columns\":{\"4ba339dd-9edb-445a-a121-43092d3b33a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"dafa285e-d83f-4d93-af67-4b6b7a7437f3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Alert Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ba339dd-9edb-445a-a121-43092d3b33a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.system_status_alert.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"dafa285e-d83f-4d93-af67-4b6b7a7437f3\",\"isTransposed\":false},{\"columnId\":\"4ba339dd-9edb-445a-a121-43092d3b33a5\",\"isTransposed\":false}],\"layerId\":\"607d2de2-df5d-4503-90e0-4ac42323c46e\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7d794103-85bd-4669-b9bc-b9223d2eba5c\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7d794103-85bd-4669-b9bc-b9223d2eba5c\",\"title\":\"Top 10 Alert Name with Highest System Status Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd\",\"panelRefName\":\"panel_00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd\",\"type\":\"search\",\"version\":\"8.2.1\"}]", + "timeRestore": false, + "title": "[Logs Darktrace] System Status Alerts Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:indexpattern-datasource-layer-1b85280d-b235-4523-b782-fd77e9046901", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:3702c81f-57cb-4f31-bb86-97827dab7021", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e7b10ecb-271a-4010-9947-9597225acd58:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e7b10ecb-271a-4010-9947-9597225acd58:indexpattern-datasource-layer-f27d6430-9a24-4f7b-86b0-43950b6f2393", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77e3df19-769a-414a-b96b-dbb37169629d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77e3df19-769a-414a-b96b-dbb37169629d:indexpattern-datasource-layer-b1042ac5-75bd-48e1-9c8c-4ab507402159", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d794103-85bd-4669-b9bc-b9223d2eba5c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d794103-85bd-4669-b9bc-b9223d2eba5c:indexpattern-datasource-layer-607d2de2-df5d-4503-90e0-4ac42323c46e", + "type": "index-pattern" + }, + { + "id": "darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8", + "name": "00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd:panel_00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.2/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json new file mode 100755 index 0000000000..d1d19f372a --- /dev/null +++ b/packages/darktrace/0.1.2/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "description": "Darktrace Model Breach Alerts Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-16c69f2e-ffe0-4393-9d91-dece311e3f0f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"16c69f2e-ffe0-4393-9d91-dece311e3f0f\":{\"columnOrder\":[\"099298f5-fc58-4473-860e-84bc44f2e387\"],\"columns\":{\"099298f5-fc58-4473-860e-84bc44f2e387\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"accessor\":\"099298f5-fc58-4473-860e-84bc44f2e387\",\"layerId\":\"16c69f2e-ffe0-4393-9d91-dece311e3f0f\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14e3bf5d-011f-48d2-83a9-fc62d707cdd1\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"14e3bf5d-011f-48d2-83a9-fc62d707cdd1\",\"title\":\"Number of Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8d4cd3ff-fd36-462e-ae82-826554dc847d\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"88df79e3-51ce-46c3-b8da-6522f6dc9e40\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8d4cd3ff-fd36-462e-ae82-826554dc847d\":{\"columnOrder\":[\"861dc1ff-427e-4512-bb2c-e28d3f7564b2\"],\"columns\":{\"861dc1ff-427e-4512-bb2c-e28d3f7564b2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"rule.uuid\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"88df79e3-51ce-46c3-b8da-6522f6dc9e40\",\"key\":\"darktrace.model_breach_alert.model.is_active\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.model_breach_alert.model.is_active\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"accessor\":\"861dc1ff-427e-4512-bb2c-e28d3f7564b2\",\"layerId\":\"8d4cd3ff-fd36-462e-ae82-826554dc847d\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"07f13cdd-3a86-40e5-914f-8f50c695b6ee\",\"w\":15,\"x\":15,\"y\":0},\"panelIndex\":\"07f13cdd-3a86-40e5-914f-8f50c695b6ee\",\"title\":\"Number of Active Models [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a4c3d027-4533-411a-b9f1-26f0a4fedb66\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a4c3d027-4533-411a-b9f1-26f0a4fedb66\":{\"columnOrder\":[\"1ea9479b-4db9-4215-97d9-1d7a275176ab\",\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\"],\"columns\":{\"1ea9479b-4db9-4215-97d9-1d7a275176ab\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"rule.category\"},\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ea9479b-4db9-4215-97d9-1d7a275176ab\"],\"layerId\":\"a4c3d027-4533-411a-b9f1-26f0a4fedb66\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"36c1f412-cfb7-4ea0-b9c9-a323c72e800d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1fafffde-be8a-4e46-bc58-a52db1e94931\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"1fafffde-be8a-4e46-bc58-a52db1e94931\",\"title\":\"Distribution of Model Breach Alerts by Model Category [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8a0016c8-0623-4e96-a007-240f0bfe88c2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8a0016c8-0623-4e96-a007-240f0bfe88c2\":{\"columnOrder\":[\"55131f02-db30-408f-8795-9cfee8f6758b\",\"b5b19414-8d46-4957-b69a-7a57518551fe\"],\"columns\":{\"55131f02-db30-408f-8795-9cfee8f6758b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Model Priority\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b5b19414-8d46-4957-b69a-7a57518551fe\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.severity\"},\"b5b19414-8d46-4957-b69a-7a57518551fe\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"b5b19414-8d46-4957-b69a-7a57518551fe\"],\"layerId\":\"8a0016c8-0623-4e96-a007-240f0bfe88c2\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"55131f02-db30-408f-8795-9cfee8f6758b\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ddcd6a80-5ab0-4522-b984-022b7da2d4b0\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"ddcd6a80-5ab0-4522-b984-022b7da2d4b0\",\"title\":\"Distribution of Model Breach Alerts by Model Priority [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c\":{\"columnOrder\":[\"c2ee5623-973c-416f-80b0-bae47d66f83b\",\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\"],\"columns\":{\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"},\"c2ee5623-973c-416f-80b0-bae47d66f83b\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Model Behaviour\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.model_breach_alert.model.behaviour\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"c2ee5623-973c-416f-80b0-bae47d66f83b\"],\"layerId\":\"267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8630c019-3e7e-4734-b1c2-1a82f39fb7fc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"44710442-b7b8-413a-9e52-4d7ba519a296\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"44710442-b7b8-413a-9e52-4d7ba519a296\",\"title\":\"Distribution of Model Breach Alerts by Model Behaviour [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-26e0acea-9274-411a-91a3-8537b1e00aff\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"26e0acea-9274-411a-91a3-8537b1e00aff\":{\"columnOrder\":[\"ac9a1bc1-8890-4297-a82e-6f975d9175aa\",\"b451b0a8-806d-4d37-85c6-85c98330a533\"],\"columns\":{\"ac9a1bc1-8890-4297-a82e-6f975d9175aa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Model Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b451b0a8-806d-4d37-85c6-85c98330a533\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"b451b0a8-806d-4d37-85c6-85c98330a533\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Model Breach Score\",\"operationType\":\"max\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.risk_score\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"ac9a1bc1-8890-4297-a82e-6f975d9175aa\",\"isTransposed\":false,\"summaryRow\":\"none\"},{\"columnId\":\"b451b0a8-806d-4d37-85c6-85c98330a533\",\"isTransposed\":false}],\"layerId\":\"26e0acea-9274-411a-91a3-8537b1e00aff\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"747c1919-e215-4b97-9d8b-8ee528c1deaa\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"747c1919-e215-4b97-9d8b-8ee528c1deaa\",\"title\":\"Top 10 Model Breach Alerts by Highest Model Breach Score [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-adde69bc-fda5-4560-8a54-202ca975652f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"adde69bc-fda5-4560-8a54-202ca975652f\":{\"columnOrder\":[\"c78a709f-ef66-4dbc-a1f2-070cb2116e4d\",\"ead17241-a253-4c78-917d-8ff1249061df\"],\"columns\":{\"c78a709f-ef66-4dbc-a1f2-070cb2116e4d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Model Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ead17241-a253-4c78-917d-8ff1249061df\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"ead17241-a253-4c78-917d-8ff1249061df\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"c78a709f-ef66-4dbc-a1f2-070cb2116e4d\",\"isTransposed\":false,\"width\":574},{\"columnId\":\"ead17241-a253-4c78-917d-8ff1249061df\",\"isTransposed\":false}],\"layerId\":\"adde69bc-fda5-4560-8a54-202ca975652f\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"aca1678c-d3d8-478e-a09c-dfdd86a5b3f7\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"aca1678c-d3d8-478e-a09c-dfdd86a5b3f7\",\"title\":\"Top 10 Model Name with Highest Model Breach [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0c7a50df-8359-42ff-806d-a22eb35b597a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0c7a50df-8359-42ff-806d-a22eb35b597a\":{\"columnOrder\":[\"729d6a4f-b1ba-47be-817a-2f2bf8b6f39c\",\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\"],\"columns\":{\"729d6a4f-b1ba-47be-817a-2f2bf8b6f39c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.type\"},\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"729d6a4f-b1ba-47be-817a-2f2bf8b6f39c\",\"isTransposed\":false},{\"columnId\":\"a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515\",\"isTransposed\":false}],\"layerId\":\"0c7a50df-8359-42ff-806d-a22eb35b597a\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"19b3fa09-6280-430a-9046-a613dfde3696\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"19b3fa09-6280-430a-9046-a613dfde3696\",\"title\":\"Top 10 Device Type with Highest Model Breach [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7bd679f9-8a5b-4906-beaa-750102e3a26f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7bd679f9-8a5b-4906-beaa-750102e3a26f\":{\"columnOrder\":[\"13359fdf-964f-441c-8d49-dcacd44d74a9\",\"d0c28963-3b20-44ed-bd81-668ccef65e64\"],\"columns\":{\"13359fdf-964f-441c-8d49-dcacd44d74a9\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Vendor\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0c28963-3b20-44ed-bd81-668ccef65e64\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.model_breach_alert.device.vendor\"},\"d0c28963-3b20-44ed-bd81-668ccef65e64\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"13359fdf-964f-441c-8d49-dcacd44d74a9\"],\"layerId\":\"7bd679f9-8a5b-4906-beaa-750102e3a26f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0c28963-3b20-44ed-bd81-668ccef65e64\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"185e6cd3-4cf8-45fd-937e-77abd9e6aad7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"185e6cd3-4cf8-45fd-937e-77abd9e6aad7\",\"title\":\"Distribution of Model Breach Alerts by Targeted Vendor [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8ea502e-ae28-47dd-9b90-484d50083243\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8ea502e-ae28-47dd-9b90-484d50083243\":{\"columnOrder\":[\"0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1\",\"dbd63d7d-3048-4f3e-a068-d891e14f517b\"],\"columns\":{\"0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Device Host ID\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dbd63d7d-3048-4f3e-a068-d891e14f517b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.id\"},\"dbd63d7d-3048-4f3e-a068-d891e14f517b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1\",\"isTransposed\":false},{\"columnId\":\"dbd63d7d-3048-4f3e-a068-d891e14f517b\",\"isTransposed\":false}],\"layerId\":\"c8ea502e-ae28-47dd-9b90-484d50083243\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"7c6faaf4-5d0c-49a1-b1d2-605f18e675b0\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"7c6faaf4-5d0c-49a1-b1d2-605f18e675b0\",\"title\":\"Top 10 Device Host ID with Highest Model Breach [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88c07c59-c625-4652-8156-54991d0869d8\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88c07c59-c625-4652-8156-54991d0869d8\":{\"columnOrder\":[\"3fdb34e6-9e66-42b8-8705-ce15282352a8\",\"0f644c53-93f7-450a-ab4a-2d08a26251a7\"],\"columns\":{\"0f644c53-93f7-450a-ab4a-2d08a26251a7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.pbid\"},\"3fdb34e6-9e66-42b8-8705-ce15282352a8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Antigena Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0f644c53-93f7-450a-ab4a-2d08a26251a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"0f644c53-93f7-450a-ab4a-2d08a26251a7\"],\"layerId\":\"88c07c59-c625-4652-8156-54991d0869d8\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"3fdb34e6-9e66-42b8-8705-ce15282352a8\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"889bb859-0938-46a4-b078-30f5fedd10a7\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"889bb859-0938-46a4-b078-30f5fedd10a7\",\"title\":\"Distribution of Model Breach Alerts by Antigena Action [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-68e57e92-bad9-44bd-8022-16b46d218096\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"68e57e92-bad9-44bd-8022-16b46d218096\":{\"columnOrder\":[\"e320a021-5c16-4d5f-889a-f88e29cc8fd2\",\"e9f48d2b-6578-4b41-afdb-3070764712b2\"],\"columns\":{\"e320a021-5c16-4d5f-889a-f88e29cc8fd2\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"ignoreTimeRange\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"e9f48d2b-6578-4b41-afdb-3070764712b2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of Model Throttle\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.model_breach_alert.model.throttle\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"e9f48d2b-6578-4b41-afdb-3070764712b2\"],\"layerId\":\"68e57e92-bad9-44bd-8022-16b46d218096\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e320a021-5c16-4d5f-889a-f88e29cc8fd2\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"e9f48d2b-6578-4b41-afdb-3070764712b2\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"c6560c58-be58-4718-abed-0356a2ba3b09\",\"w\":48,\"x\":0,\"y\":75},\"panelIndex\":\"c6560c58-be58-4718-abed-0356a2ba3b09\",\"title\":\"Model Throttle Over Time [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Tag Cloud\",\"emptyAsNull\":false,\"field\":\"darktrace.model_breach_alert.pbid\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Mitre Techniques\",\"field\":\"threat.technique.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":23,\"i\":\"12736f17-d97c-4f4c-a66b-5eba7c2fec9c\",\"w\":48,\"x\":0,\"y\":94},\"panelIndex\":\"12736f17-d97c-4f4c-a66b-5eba7c2fec9c\",\"title\":\"Top Mitre Techniques [Logs Darktrace]\",\"type\":\"visualization\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"e9b4f5f5-d478-403d-a78e-9e39ad3486f0\",\"w\":48,\"x\":0,\"y\":117},\"panelIndex\":\"e9b4f5f5-d478-403d-a78e-9e39ad3486f0\",\"panelRefName\":\"panel_e9b4f5f5-d478-403d-a78e-9e39ad3486f0\",\"type\":\"search\",\"version\":\"8.2.1\"}]", + "timeRestore": false, + "title": "[Logs Darktrace] Model Breach Alerts Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1:indexpattern-datasource-layer-16c69f2e-ffe0-4393-9d91-dece311e3f0f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:indexpattern-datasource-layer-8d4cd3ff-fd36-462e-ae82-826554dc847d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:88df79e3-51ce-46c3-b8da-6522f6dc9e40", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fafffde-be8a-4e46-bc58-a52db1e94931:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fafffde-be8a-4e46-bc58-a52db1e94931:indexpattern-datasource-layer-a4c3d027-4533-411a-b9f1-26f0a4fedb66", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0:indexpattern-datasource-layer-8a0016c8-0623-4e96-a007-240f0bfe88c2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44710442-b7b8-413a-9e52-4d7ba519a296:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44710442-b7b8-413a-9e52-4d7ba519a296:indexpattern-datasource-layer-267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "747c1919-e215-4b97-9d8b-8ee528c1deaa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "747c1919-e215-4b97-9d8b-8ee528c1deaa:indexpattern-datasource-layer-26e0acea-9274-411a-91a3-8537b1e00aff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7:indexpattern-datasource-layer-adde69bc-fda5-4560-8a54-202ca975652f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "19b3fa09-6280-430a-9046-a613dfde3696:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "19b3fa09-6280-430a-9046-a613dfde3696:indexpattern-datasource-layer-0c7a50df-8359-42ff-806d-a22eb35b597a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7:indexpattern-datasource-layer-7bd679f9-8a5b-4906-beaa-750102e3a26f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0:indexpattern-datasource-layer-c8ea502e-ae28-47dd-9b90-484d50083243", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "889bb859-0938-46a4-b078-30f5fedd10a7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "889bb859-0938-46a4-b078-30f5fedd10a7:indexpattern-datasource-layer-88c07c59-c625-4652-8156-54991d0869d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6560c58-be58-4718-abed-0356a2ba3b09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6560c58-be58-4718-abed-0356a2ba3b09:indexpattern-datasource-layer-68e57e92-bad9-44bd-8022-16b46d218096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "12736f17-d97c-4f4c-a66b-5eba7c2fec9c:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8", + "name": "e9b4f5f5-d478-403d-a78e-9e39ad3486f0:panel_e9b4f5f5-d478-403d-a78e-9e39ad3486f0", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.2/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json new file mode 100755 index 0000000000..c19715efa8 --- /dev/null +++ b/packages/darktrace/0.1.2/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "description": "Darktrace AI Analyst Alerts Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"6f5adda0-d13e-48e5-aead-37e6448b922a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f84b818-192c-4dca-b929-1884e060576b\":{\"columnOrder\":[\"367e5418-6e25-45f2-b5fc-6ddd3618b869\"],\"columns\":{\"367e5418-6e25-45f2-b5fc-6ddd3618b869\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"6f5adda0-d13e-48e5-aead-37e6448b922a\",\"key\":\"darktrace.ai_analyst_alert.is_user_triggered\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.ai_analyst_alert.is_user_triggered\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"accessor\":\"367e5418-6e25-45f2-b5fc-6ddd3618b869\",\"layerId\":\"1f84b818-192c-4dca-b929-1884e060576b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e28c7c69-2ae8-46fd-b361-38be020491a8\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"e28c7c69-2ae8-46fd-b361-38be020491a8\",\"title\":\"Count of User Triggered AI Analyst Investigation [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"68dafc9f-9ed2-4ef9-8587-14dba4241364\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f84b818-192c-4dca-b929-1884e060576b\":{\"columnOrder\":[\"367e5418-6e25-45f2-b5fc-6ddd3618b869\"],\"columns\":{\"367e5418-6e25-45f2-b5fc-6ddd3618b869\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"68dafc9f-9ed2-4ef9-8587-14dba4241364\",\"key\":\"darktrace.ai_analyst_alert.is_external_triggered\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.ai_analyst_alert.is_external_triggered\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"accessor\":\"367e5418-6e25-45f2-b5fc-6ddd3618b869\",\"layerId\":\"1f84b818-192c-4dca-b929-1884e060576b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"be1b9c5a-2ea0-48ac-8ad6-221769ff83f9\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"be1b9c5a-2ea0-48ac-8ad6-221769ff83f9\",\"title\":\"Count of Externally Triggered AI Analyst Investigation [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"fb69f35b-439b-47fc-b942-15dc9d439f8b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f84b818-192c-4dca-b929-1884e060576b\":{\"columnOrder\":[\"367e5418-6e25-45f2-b5fc-6ddd3618b869\"],\"columns\":{\"367e5418-6e25-45f2-b5fc-6ddd3618b869\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"fb69f35b-439b-47fc-b942-15dc9d439f8b\",\"key\":\"darktrace.ai_analyst_alert.is_acknowledged\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"darktrace.ai_analyst_alert.is_acknowledged\":true}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"accessor\":\"367e5418-6e25-45f2-b5fc-6ddd3618b869\",\"layerId\":\"1f84b818-192c-4dca-b929-1884e060576b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"034d5870-b571-4276-9fad-1495a3665eed\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"034d5870-b571-4276-9fad-1495a3665eed\",\"title\":\"Count of Acknowledged AI Analyst Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66afac91-ca1e-4a4a-ab0d-e18a2903ace7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66afac91-ca1e-4a4a-ab0d-e18a2903ace7\":{\"columnOrder\":[\"6e2b5d5b-0584-412f-a87f-b60279d2173d\",\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\"],\"columns\":{\"6e2b5d5b-0584-412f-a87f-b60279d2173d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Behavior Category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.ai_analyst_alert.category\"},\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6e2b5d5b-0584-412f-a87f-b60279d2173d\"],\"layerId\":\"66afac91-ca1e-4a4a-ab0d-e18a2903ace7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8f546d14-cc1d-4d80-8cec-8e326bfd19d1\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"65f35405-87eb-4a98-a0c2-2e3c7426cb28\",\"w\":24,\"x\":0,\"y\":13},\"panelIndex\":\"65f35405-87eb-4a98-a0c2-2e3c7426cb28\",\"title\":\"Distribution of AI Analyst Alerts by Behavior Category [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-effe003f-604a-49a3-a903-d4d2c75df944\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"effe003f-604a-49a3-a903-d4d2c75df944\":{\"columnOrder\":[\"937bae71-7159-4e35-87cf-dc372875ad59\",\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\"],\"columns\":{\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"},\"937bae71-7159-4e35-87cf-dc372875ad59\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Summariser\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"darktrace.ai_analyst_alert.summariser\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"049804ee-f3a4-474f-8e76-d4c3e0eb77af\"],\"layerId\":\"effe003f-604a-49a3-a903-d4d2c75df944\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"937bae71-7159-4e35-87cf-dc372875ad59\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8882d78e-7df8-4d33-b7b5-e21f5d25dfe7\",\"w\":24,\"x\":24,\"y\":13},\"panelIndex\":\"8882d78e-7df8-4d33-b7b5-e21f5d25dfe7\",\"title\":\"Distribution of AI Analyst Alerts by Summariser [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dea45bd8-269e-48c4-98d3-fc47717ae139\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dea45bd8-269e-48c4-98d3-fc47717ae139\":{\"columnOrder\":[\"71a3581e-24ae-48d8-958d-c574488b2f48\",\"e6083dcb-9465-4007-a133-569f31fe732d\"],\"columns\":{\"71a3581e-24ae-48d8-958d-c574488b2f48\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Alert Title\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e6083dcb-9465-4007-a133-569f31fe732d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.reason\"},\"e6083dcb-9465-4007-a133-569f31fe732d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Risk Score\",\"operationType\":\"max\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.risk_score\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"columns\":[{\"alignment\":\"left\",\"columnId\":\"71a3581e-24ae-48d8-958d-c574488b2f48\",\"isTransposed\":false},{\"columnId\":\"e6083dcb-9465-4007-a133-569f31fe732d\",\"isTransposed\":false}],\"layerId\":\"dea45bd8-269e-48c4-98d3-fc47717ae139\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6b003410-fd00-4dc5-b9c7-8bd1f711ffbe\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6b003410-fd00-4dc5-b9c7-8bd1f711ffbe\",\"title\":\"Top 10 AI Analyst Alerts with Highest Score [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3bb3b1dd-30aa-46d6-8a14-32c14c706f47\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3bb3b1dd-30aa-46d6-8a14-32c14c706f47\":{\"columnOrder\":[\"266f7f3a-5f46-40c5-a716-b2aab1d49d51\",\"36e2011c-141b-412b-a5fd-e5e9c62183ad\"],\"columns\":{\"266f7f3a-5f46-40c5-a716-b2aab1d49d51\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Hostname\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"36e2011c-141b-412b-a5fd-e5e9c62183ad\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.hostname\"},\"36e2011c-141b-412b-a5fd-e5e9c62183ad\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"event.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"266f7f3a-5f46-40c5-a716-b2aab1d49d51\",\"isTransposed\":false},{\"columnId\":\"36e2011c-141b-412b-a5fd-e5e9c62183ad\",\"isTransposed\":false}],\"layerId\":\"3bb3b1dd-30aa-46d6-8a14-32c14c706f47\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"930d2983-f872-4001-ba45-b44aee791167\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"930d2983-f872-4001-ba45-b44aee791167\",\"title\":\"Top 10 BreachDevices Hostname with Highest AI Analyst Alerts [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9eda772e-1fbd-4296-a543-8bbd18b2359a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9eda772e-1fbd-4296-a543-8bbd18b2359a\":{\"columnOrder\":[\"45d996c5-b696-4fff-8f83-78473cc7798f\",\"252b0567-f0b1-4677-b6d8-e9d7a229431a\"],\"columns\":{\"252b0567-f0b1-4677-b6d8-e9d7a229431a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Group Score\",\"operationType\":\"max\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"darktrace.ai_analyst_alert.group_score\"},\"45d996c5-b696-4fff-8f83-78473cc7798f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Alert Title\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"252b0567-f0b1-4677-b6d8-e9d7a229431a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.reason\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"252b0567-f0b1-4677-b6d8-e9d7a229431a\",\"isTransposed\":false},{\"columnId\":\"45d996c5-b696-4fff-8f83-78473cc7798f\",\"isTransposed\":false,\"width\":551}],\"layerId\":\"9eda772e-1fbd-4296-a543-8bbd18b2359a\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":18,\"i\":\"7e4d0098-0cc8-403d-aaca-92758d697950\",\"w\":48,\"x\":0,\"y\":43},\"panelIndex\":\"7e4d0098-0cc8-403d-aaca-92758d697950\",\"title\":\"Top 10 AI Analyst Alerts with Highest Group Score [Logs Darktrace]\",\"type\":\"lens\",\"version\":\"8.2.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"4ce4eb50-af35-423a-b20f-61a715aa4388\",\"w\":48,\"x\":0,\"y\":61},\"panelIndex\":\"4ce4eb50-af35-423a-b20f-61a715aa4388\",\"panelRefName\":\"panel_4ce4eb50-af35-423a-b20f-61a715aa4388\",\"type\":\"search\",\"version\":\"8.2.1\"}]", + "timeRestore": false, + "title": "[Logs Darktrace] AI Analyst Alerts Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:6f5adda0-d13e-48e5-aead-37e6448b922a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:68dafc9f-9ed2-4ef9-8587-14dba4241364", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "034d5870-b571-4276-9fad-1495a3665eed:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "034d5870-b571-4276-9fad-1495a3665eed:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "034d5870-b571-4276-9fad-1495a3665eed:fb69f35b-439b-47fc-b942-15dc9d439f8b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "65f35405-87eb-4a98-a0c2-2e3c7426cb28:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "65f35405-87eb-4a98-a0c2-2e3c7426cb28:indexpattern-datasource-layer-66afac91-ca1e-4a4a-ab0d-e18a2903ace7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7:indexpattern-datasource-layer-effe003f-604a-49a3-a903-d4d2c75df944", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe:indexpattern-datasource-layer-dea45bd8-269e-48c4-98d3-fc47717ae139", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "930d2983-f872-4001-ba45-b44aee791167:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "930d2983-f872-4001-ba45-b44aee791167:indexpattern-datasource-layer-3bb3b1dd-30aa-46d6-8a14-32c14c706f47", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7e4d0098-0cc8-403d-aaca-92758d697950:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7e4d0098-0cc8-403d-aaca-92758d697950:indexpattern-datasource-layer-9eda772e-1fbd-4296-a543-8bbd18b2359a", + "type": "index-pattern" + }, + { + "id": "darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8", + "name": "4ce4eb50-af35-423a-b20f-61a715aa4388:panel_4ce4eb50-af35-423a-b20f-61a715aa4388", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.2/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json new file mode 100755 index 0000000000..7410d2d10f --- /dev/null +++ b/packages/darktrace/0.1.2/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "darktrace.model_breach_alert.pbid", + "rule.category", + "rule.name", + "event.risk_score", + "host.id" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.model_breach_alert\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Model Breach Alerts Essential Details [Logs Darktrace]" + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.2/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json new file mode 100755 index 0000000000..f50fca24dc --- /dev/null +++ b/packages/darktrace/0.1.2/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "columns": [ + "event.id", + "event.reason", + "darktrace.ai_analyst_alert.related_breaches.pbid", + "darktrace.ai_analyst_alert.attack_phases", + "event.risk_score" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.ai_analyst_alert\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "AI Analyst Alerts Essential Details [Logs Darktrace]" + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/0.1.2/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json new file mode 100755 index 0000000000..d4a24be88d --- /dev/null +++ b/packages/darktrace/0.1.2/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,38 @@ +{ + "attributes": { + "columns": [ + "event.id", + "darktrace.system_status_alert.last_updated_status", + "host.ip", + "darktrace.system_status_alert.alert_name", + "event.risk_score", + "darktrace.system_status_alert.status" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"darktrace.system_status_alert\\\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "System Status Alerts Essential Details [Logs Darktrace]" + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/darktrace/0.1.2/manifest.yml b/packages/darktrace/0.1.2/manifest.yml new file mode 100755 index 0000000000..48fc51dafe --- /dev/null +++ b/packages/darktrace/0.1.2/manifest.yml @@ -0,0 +1,136 @@ +format_version: 1.0.0 +name: darktrace +title: Darktrace +version: 0.1.2 +license: basic +description: Collect logs from Darktrace with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana.version: ^8.2.1 +screenshots: + - src: /img/darktrace-screenshot.png + title: Darktrace Model Breach Alert Dashboard Screenshot + size: 600x600 + type: image/png +icons: + - src: /img/darktrace-logo.svg + title: Darktrace Logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: darktrace + title: Darktrace logs + description: Collect logs from Darktrace. + inputs: + - type: httpjson + title: Collect Darktrace logs via API + description: Collecting Darktrace logs via API. + vars: + - name: url + type: text + title: URL + description: Darktrace console URL. + required: true + - name: public_token + type: password + title: Public API Token + description: Public API Token. + required: true + - name: private_token + type: password + title: Private API Token + description: Private API Token. + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: tcp + title: Collect Darktrace logs via TCP + description: Collecting Darktrace logs via TCP. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: udp + title: Collect Darktrace logs via UDP + description: Collecting Darktrace logs via UDP. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost +owner: + github: elastic/security-external-integrations diff --git a/packages/f5/0.11.2/LICENSE.txt b/packages/f5/0.11.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/f5/0.11.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/f5/0.11.2/changelog.yml b/packages/f5/0.11.2/changelog.yml new file mode 100755 index 0000000000..bda86a7c91 --- /dev/null +++ b/packages/f5/0.11.2/changelog.yml @@ -0,0 +1,106 @@ +# newer versions go on top +- version: "0.11.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4407 +- version: "0.11.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "0.11.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3865 +- version: "0.10.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "0.9.0" + changes: + - description: Update to ECS 8.2.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "0.8.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2584 +- version: "0.7.1" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "0.7.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2240 +- version: "0.6.4" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2108 +- version: "0.6.3" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1964 +- version: "0.6.2" + changes: + - description: Fixed a bug that prevents the package from working in 7.16. + type: bugfix + link: https://github.com/elastic/integrations/pull/1882 +- version: "0.6.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1816 +- version: "0.6.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1659 +- version: "0.5.3" + changes: + - description: Requires version 7.14.1 of the stack + type: bugfix + link: https://github.com/elastic/integrations/pull/1541 +- version: "0.5.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1476 +- version: '0.5.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1383 +- version: "0.5.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.4.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1262 +- version: "0.3.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1041 +- version: "0.2.4" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/844 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/package-storage/pull/181 diff --git a/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/stream.yml.hbs b/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..3717aa3b5f --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/stream.yml.hbs @@ -0,0 +1,2704 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","BIGIP_AFM"), + ])); + + var select1 = linear_select([ + hdr1, + ]); + + var part1 = tagval("MESSAGE#0:BIGIP_AFM", "nwparser.payload", tvm, { + "acl_policy_name": "policyname", + "acl_policy_type": "fld1", + "acl_rule_name": "rulename", + "action": "action", + "bigip_mgmt_ip": "hostip", + "context_name": "context", + "context_type": "fld2", + "date_time": "event_time_string", + "dest_ip": "daddr", + "dest_port": "dport", + "device_product": "product", + "device_vendor": "fld3", + "device_version": "version", + "drop_reason": "fld4", + "dst_geo": "location_dst", + "errdefs_msg_name": "event_type", + "errdefs_msgno": "id", + "flow_id": "fld5", + "hostname": "hostname", + "ip_protocol": "protocol", + "partition_name": "fld6", + "route_domain": "fld7", + "sa_translation_pool": "fld8", + "sa_translation_type": "fld9", + "severity": "severity", + "source_ip": "saddr", + "source_port": "sport", + "source_user": "username", + "src_geo": "location_src", + "translated_dest_ip": "dtransaddr", + "translated_dest_port": "dtransport", + "translated_ip_protocol": "fld10", + "translated_route_domain": "fld11", + "translated_source_ip": "stransaddr", + "translated_source_port": "stransport", + "translated_vlan": "fld12", + "vlan": "vlan", + }, processor_chain([ + setc("eventcategory","1801000000"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dD,dW,dZ], + ], + }), + setc("ec_subject","NetworkComm"), + setc("ec_theme","Communication"), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setf("obj_name","hfld6"), + ])); + + var msg1 = msg("BIGIP_AFM", part1); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "BIGIP_AFM": msg1, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/tcp.yml.hbs b/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..ab8e27aab6 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/tcp.yml.hbs @@ -0,0 +1,2701 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","BIGIP_AFM"), + ])); + + var select1 = linear_select([ + hdr1, + ]); + + var part1 = tagval("MESSAGE#0:BIGIP_AFM", "nwparser.payload", tvm, { + "acl_policy_name": "policyname", + "acl_policy_type": "fld1", + "acl_rule_name": "rulename", + "action": "action", + "bigip_mgmt_ip": "hostip", + "context_name": "context", + "context_type": "fld2", + "date_time": "event_time_string", + "dest_ip": "daddr", + "dest_port": "dport", + "device_product": "product", + "device_vendor": "fld3", + "device_version": "version", + "drop_reason": "fld4", + "dst_geo": "location_dst", + "errdefs_msg_name": "event_type", + "errdefs_msgno": "id", + "flow_id": "fld5", + "hostname": "hostname", + "ip_protocol": "protocol", + "partition_name": "fld6", + "route_domain": "fld7", + "sa_translation_pool": "fld8", + "sa_translation_type": "fld9", + "severity": "severity", + "source_ip": "saddr", + "source_port": "sport", + "source_user": "username", + "src_geo": "location_src", + "translated_dest_ip": "dtransaddr", + "translated_dest_port": "dtransport", + "translated_ip_protocol": "fld10", + "translated_route_domain": "fld11", + "translated_source_ip": "stransaddr", + "translated_source_port": "stransport", + "translated_vlan": "fld12", + "vlan": "vlan", + }, processor_chain([ + setc("eventcategory","1801000000"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dD,dW,dZ], + ], + }), + setc("ec_subject","NetworkComm"), + setc("ec_theme","Communication"), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setf("obj_name","hfld6"), + ])); + + var msg1 = msg("BIGIP_AFM", part1); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "BIGIP_AFM": msg1, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/udp.yml.hbs b/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..785081d787 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/agent/stream/udp.yml.hbs @@ -0,0 +1,2701 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Firewall" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","BIGIP_AFM"), + ])); + + var select1 = linear_select([ + hdr1, + ]); + + var part1 = tagval("MESSAGE#0:BIGIP_AFM", "nwparser.payload", tvm, { + "acl_policy_name": "policyname", + "acl_policy_type": "fld1", + "acl_rule_name": "rulename", + "action": "action", + "bigip_mgmt_ip": "hostip", + "context_name": "context", + "context_type": "fld2", + "date_time": "event_time_string", + "dest_ip": "daddr", + "dest_port": "dport", + "device_product": "product", + "device_vendor": "fld3", + "device_version": "version", + "drop_reason": "fld4", + "dst_geo": "location_dst", + "errdefs_msg_name": "event_type", + "errdefs_msgno": "id", + "flow_id": "fld5", + "hostname": "hostname", + "ip_protocol": "protocol", + "partition_name": "fld6", + "route_domain": "fld7", + "sa_translation_pool": "fld8", + "sa_translation_type": "fld9", + "severity": "severity", + "source_ip": "saddr", + "source_port": "sport", + "source_user": "username", + "src_geo": "location_src", + "translated_dest_ip": "dtransaddr", + "translated_dest_port": "dtransport", + "translated_ip_protocol": "fld10", + "translated_route_domain": "fld11", + "translated_source_ip": "stransaddr", + "translated_source_port": "stransport", + "translated_vlan": "fld12", + "vlan": "vlan", + }, processor_chain([ + setc("eventcategory","1801000000"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dD,dW,dZ], + ], + }), + setc("ec_subject","NetworkComm"), + setc("ec_theme","Communication"), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setf("obj_name","hfld6"), + ])); + + var msg1 = msg("BIGIP_AFM", part1); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "BIGIP_AFM": msg1, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/f5/0.11.2/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml b/packages/f5/0.11.2/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..81eaba6e6b --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,92 @@ +--- +description: Pipeline for Big-IP Advanced Firewall Manager + +processors: + - set: + field: ecs.version + value: '8.4.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # URL + - uri_parts: + field: url.original + target_field: _temp_.url + ignore_failure: true + if: ctx?.url?.original != null + - script: + lang: painless + description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings + if: ctx?._temp_?.url != null + source: | + for (entry in ctx._temp_.url.entrySet()) { + if (entry != null && entry.getValue() != null) { + if(ctx.url[entry.getKey()] == null) { + ctx.url[entry.getKey()] = entry.getValue(); + } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { + ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; + ctx.url[entry.getKey()].add(entry.getValue()); + } + } + } + - remove: + field: _temp_ + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/f5/0.11.2/data_stream/bigipafm/fields/base-fields.yml b/packages/f5/0.11.2/data_stream/bigipafm/fields/base-fields.yml new file mode 100755 index 0000000000..62774970e5 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: f5 +- name: event.dataset + type: constant_keyword + description: Event dataset + value: f5.bigipafm +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/f5/0.11.2/data_stream/bigipafm/fields/ecs.yml b/packages/f5/0.11.2/data_stream/bigipafm/fields/ecs.yml new file mode 100755 index 0000000000..63f03c4c3a --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/fields/ecs.yml @@ -0,0 +1,564 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/f5/0.11.2/data_stream/bigipafm/fields/fields.yml b/packages/f5/0.11.2/data_stream/bigipafm/fields/fields.yml new file mode 100755 index 0000000000..710c87215f --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/fields/fields.yml @@ -0,0 +1,1755 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword + description: Interface name as reported by the system. diff --git a/packages/f5/0.11.2/data_stream/bigipafm/manifest.yml b/packages/f5/0.11.2/data_stream/bigipafm/manifest.yml new file mode 100755 index 0000000000..ec30794f6d --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/manifest.yml @@ -0,0 +1,202 @@ +title: Big-IP Advanced Firewall Manager logs +release: experimental +type: logs +streams: + - input: udp + title: Big-IP Advanced Firewall Manager logs + description: Collect Big-IP Advanced Firewall Manager logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - f5-bigipafm + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9544 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: Big-IP Advanced Firewall Manager logs + description: Collect Big-IP Advanced Firewall Manager logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - f5-bigipafm + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9544 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile + enabled: false + title: Big-IP Advanced Firewall Manager logs + description: Collect Big-IP Advanced Firewall Manager logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/f5-bigipafm.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - f5-bigipafm + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/f5/0.11.2/data_stream/bigipafm/sample_event.json b/packages/f5/0.11.2/data_stream/bigipafm/sample_event.json new file mode 100755 index 0000000000..7a3a169d59 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipafm/sample_event.json @@ -0,0 +1,131 @@ +{ + "@timestamp": "2022-01-25T12:18:22.321Z", + "agent": { + "ephemeral_id": "60eda739-ea9f-45a3-a426-166733b1dc7f", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "f5.bigipafm", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "geo": { + "country_name": "umq" + }, + "nat": { + "ip": "10.165.201.71", + "port": 6153 + }, + "port": 2288 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "Closed", + "agent_id_status": "verified", + "code": "boNemoe", + "dataset": "f5.bigipafm", + "ingested": "2022-01-25T12:18:23Z", + "timezone": "+00:00" + }, + "host": { + "ip": "10.228.193.207", + "name": "tatemac3541.api.corp" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "low", + "source": { + "address": "172.30.0.4:44466" + } + }, + "network": { + "protocol": "ipv6" + }, + "observer": { + "product": "pexe", + "type": "Firewall", + "vendor": "F5", + "version": "1.2262" + }, + "related": { + "hosts": [ + "tatemac3541.api.corp" + ], + "ip": [ + "10.11.196.142", + "10.208.121.85", + "10.165.201.71", + "10.228.193.207" + ], + "user": [ + "billoi" + ] + }, + "rsa": { + "internal": { + "messageid": "BIGIP_AFM" + }, + "investigations": { + "ec_activity": "Disable", + "ec_subject": "NetworkComm", + "ec_theme": "Communication" + }, + "misc": { + "action": [ + "Closed" + ], + "context": "liqua", + "event_type": "equepor", + "obj_name": "odoco", + "policy_name": "ria", + "reference_id": "boNemoe", + "rule_name": "ite", + "severity": "low", + "version": "1.2262" + }, + "network": { + "alias_host": [ + "tatemac3541.api.corp" + ] + }, + "time": { + "event_time_str": "Jan" + } + }, + "rule": { + "name": "ite" + }, + "source": { + "geo": { + "country_name": "sperna" + }, + "ip": [ + "10.208.121.85" + ], + "nat": { + "ip": "10.11.196.142", + "port": 5222 + }, + "port": 884 + }, + "tags": [ + "f5-bigipafm", + "forwarded" + ], + "user": { + "name": "billoi" + } +} \ No newline at end of file diff --git a/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/stream.yml.hbs b/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..14a1239b79 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/stream.yml.hbs @@ -0,0 +1,3740 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Access" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + + var dup6 = setc("eventcategory","1801000000"); + + var dup7 = setc("eventcategory","1801010000"); + + var dup8 = setc("eventcategory","1502000000"); + + var dup9 = setc("eventcategory","1805010000"); + + var dup10 = setc("eventcategory","1803000000"); + + var dup11 = setc("eventcategory","1803030000"); + + var dup12 = setc("disposition"," Successful"); + + var dup13 = setc("dclass_counter1_string"," Logon Attempt"); + + var dup14 = setc("eventcategory","1204000000"); + + var dup15 = date_time({ + dest: "event_time", + args: ["fld20"], + fmts: [ + [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup16 = setc("eventcategory","1605000000"); + + var dup17 = setc("eventcategory","1612000000"); + + var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}: [%{messageid}]%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": ["), + field("messageid"), + constant("]"), + field("p0"), + ], + }), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("p0"), + ], + }), + ])); + + var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{messageid}:%{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(":"), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(" /"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var msg1 = msg("01490502", dup18); + + var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg2 = msg("01490521", part1); + + var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg3 = msg("01490506", part2); + + var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg4 = msg("01490113:01", part3); + + var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg5 = msg("01490113:02", part4); + + var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg6 = msg("01490113:03", part5); + + var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg7 = msg("01490113:04", part6); + + var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg8 = msg("01490113:05", part7); + + var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg9 = msg("01490113:06", part8); + + var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg10 = msg("01490113", part9); + + var select2 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); + + var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); + + var all1 = all_match({ + processors: [ + dup5, + select3, + part12, + ], + on_success: processor_chain([ + setc("eventcategory","1401000000"), + dup2, + dup3, + ]), + }); + + var msg11 = msg("01490010", all1); + + var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ + setc("eventcategory","1501020000"), + dup2, + dup3, + ])); + + var msg12 = msg("01490009", part13); + + var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + ])); + + var msg13 = msg("01490102", part14); + + var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg14 = msg("01490000:02", part15); + + var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg15 = msg("01490000:01", part16); + + var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg16 = msg("01490000", part17); + + var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg17 = msg("01490000:03", part18); + + var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, + ]); + + var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg18 = msg("01490004", part19); + + var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); + + var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); + + var select5 = linear_select([ + part20, + part21, + ]); + + var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); + + var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); + + var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); + + var part25 = match_copy("MESSAGE#18:01490500/3_2", "nwparser.p0", "daddr"); + + var select6 = linear_select([ + part23, + part24, + part25, + ]); + + var all2 = all_match({ + processors: [ + dup5, + select5, + part22, + select6, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg19 = msg("01490500", all2); + + var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg20 = msg("01490005", part26); + + var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg21 = msg("01490006", part27); + + var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg22 = msg("01490007", part28); + + var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg23 = msg("01490008", part29); + + var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg24 = msg("01490514", part30); + + var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg25 = msg("01490505", part31); + + var msg26 = msg("01490501", dup18); + + var msg27 = msg("01490520", dup18); + + var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + setc("eventcategory","1609000000"), + dup2, + dup3, + ])); + + var msg28 = msg("01490142", part32); + + var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ + dup9, + dup2, + dup3, + ])); + + var msg29 = msg("01490504", part33); + + var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ + dup9, + dup2, + dup3, + ])); + + var msg30 = msg("01490538", part34); + + var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg31 = msg("01490107:01", part35); + + var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg32 = msg("01490107", part36); + + var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); + + var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); + + var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match_copy("MESSAGE#32:01490107:02/2", "nwparser.p0", "info"); + + var all3 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup10, + dup2, + dup3, + ]), + }); + + var msg33 = msg("01490107:02", all3); + + var select8 = linear_select([ + msg31, + msg32, + msg33, + ]); + + var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg34 = msg("01490106", part41); + + var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg35 = msg("01490106:01", part42); + + var select9 = linear_select([ + msg34, + msg35, + ]); + + var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg36 = msg("01490128", part43); + + var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ + dup11, + dup2, + setc("dclass_counter1_string","Newly active generation count"), + dup3, + ])); + + var msg37 = msg("01490101", part44); + + var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ + dup11, + dup2, + dup3, + ])); + + var msg38 = msg("01490103", part45); + + var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg39 = msg("01490115", part46); + + var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ + dup8, + dup2, + dup12, + dup13, + dup3, + ])); + + var msg40 = msg("01490017", part47); + + var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ + dup8, + dup2, + setc("disposition"," Failed"), + dup13, + dup3, + ])); + + var msg41 = msg("01490017:01", part48); + + var select10 = linear_select([ + msg40, + msg41, + ]); + + var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg42 = msg("01490013", part49); + + var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ + dup8, + dup2, + dup12, + dup3, + ])); + + var msg43 = msg("01490019", part50); + + var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg44 = msg("01490544", part51); + + var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ + dup8, + dup2, + setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), + dup3, + ])); + + var msg45 = msg("01490511", part52); + + var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ + dup8, + dup2, + setc("disposition","Succeeded"), + dup3, + ])); + + var msg46 = msg("014d0002", part53); + + var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ + dup8, + dup2, + setc("disposition","Failed"), + dup3, + ])); + + var msg47 = msg("014d0002:01", part54); + + var select11 = linear_select([ + msg46, + msg47, + ]); + + var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg48 = msg("01490079", part55); + + var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg49 = msg("01490165", part56); + + var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg50 = msg("01490166", part57); + + var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg51 = msg("01490167", part58); + + var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg52 = msg("01490169", part59); + + var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg53 = msg("0149016a", part60); + + var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg54 = msg("0149016b", part61); + + var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); + + var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); + + var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); + + var select12 = linear_select([ + part63, + part64, + ]); + + var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); + + var all4 = all_match({ + processors: [ + part62, + select12, + part65, + ], + on_success: processor_chain([ + dup14, + dup15, + dup2, + ]), + }); + + var msg55 = msg("ssl_acc", all4); + + var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ + dup14, + dup15, + dup2, + ])); + + var msg56 = msg("ssl_req", part66); + + var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ + dup14, + dup15, + dup2, + ])); + + var msg57 = msg("acc", part67); + + var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg58 = msg("crond", part68); + + var msg59 = msg("crond:01", dup19); + + var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg60 = msg("crond:02", part69); + + var select13 = linear_select([ + msg58, + msg59, + msg60, + ]); + + var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + setc("eventcategory","1207000000"), + dup2, + dup3, + ])); + + var msg61 = msg("sSMTP", part70); + + var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg62 = msg("01420002", part71); + + var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg63 = msg("syslog-ng", part72); + + var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg64 = msg("syslog-ng:01", part73); + + var select14 = linear_select([ + msg63, + msg64, + ]); + + var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg65 = msg("auditd", part74); + + var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg66 = msg("014d0001", part75); + + var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); + + var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); + + var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); + + var select15 = linear_select([ + part77, + part78, + ]); + + var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); + + var all5 = all_match({ + processors: [ + part76, + select15, + part79, + ], + on_success: processor_chain([ + dup6, + dup2, + dup3, + ]), + }); + + var msg67 = msg("014d0001:01", all5); + + var msg68 = msg("014d0001:02", dup20); + + var select16 = linear_select([ + msg66, + msg67, + msg68, + ]); + + var msg69 = msg("014d0044", dup20); + + var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); + + var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9}"); + + var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", "%{saddr}"); + + var select17 = linear_select([ + part81, + part82, + ]); + + var all6 = all_match({ + processors: [ + part80, + select17, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg70 = msg("01490549", all6); + + var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg71 = msg("01490547", part83); + + var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg72 = msg("01490517", part84); + + var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg73 = msg("011f0005", part85); + + var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg74 = msg("014d0048", part86); + + var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg75 = msg("error", part87); + + var msg76 = msg("CROND:03", dup19); + + var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg77 = msg("01260009", part88); + + var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg78 = msg("apmd:04", part89); + + var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg79 = msg("apmd:03", part90); + + var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); + + var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); + + var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", "%{fld8}"); + + var select18 = linear_select([ + part92, + part93, + ]); + + var all7 = all_match({ + processors: [ + part91, + select18, + ], + on_success: processor_chain([ + dup10, + dup2, + dup3, + ]), + }); + + var msg80 = msg("apmd:02", all7); + + var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg81 = msg("apmd", part94); + + var select19 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "011f0005": msg73, + "01260009": msg77, + "01420002": msg62, + "01490000": select4, + "01490004": msg18, + "01490005": msg20, + "01490006": msg21, + "01490007": msg22, + "01490008": msg23, + "01490009": msg12, + "01490010": msg11, + "01490013": msg42, + "01490017": select10, + "01490019": msg43, + "01490079": msg48, + "01490101": msg37, + "01490102": msg13, + "01490103": msg38, + "01490106": select9, + "01490107": select8, + "01490113": select2, + "01490115": msg39, + "01490128": msg36, + "01490142": msg28, + "01490165": msg49, + "01490166": msg50, + "01490167": msg51, + "01490169": msg52, + "0149016a": msg53, + "0149016b": msg54, + "01490500": msg19, + "01490501": msg26, + "01490502": msg1, + "01490504": msg29, + "01490505": msg25, + "01490506": msg3, + "01490511": msg45, + "01490514": msg24, + "01490517": msg72, + "01490520": msg27, + "01490521": msg2, + "01490538": msg30, + "01490544": msg44, + "01490547": msg71, + "01490549": msg70, + "014d0001": select16, + "014d0002": select11, + "014d0044": msg69, + "CROND": msg76, + "Rule": msg74, + "acc": msg57, + "apmd": select19, + "auditd": msg65, + "crond": select13, + "error": msg75, + "sSMTP": msg61, + "ssl_acc": msg55, + "ssl_req": msg56, + "syslog-ng": select14, + }), + ]); + + var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + + var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup6, + dup2, + dup3, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/tcp.yml.hbs b/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..85fcaeb935 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/tcp.yml.hbs @@ -0,0 +1,3737 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Access" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + + var dup6 = setc("eventcategory","1801000000"); + + var dup7 = setc("eventcategory","1801010000"); + + var dup8 = setc("eventcategory","1502000000"); + + var dup9 = setc("eventcategory","1805010000"); + + var dup10 = setc("eventcategory","1803000000"); + + var dup11 = setc("eventcategory","1803030000"); + + var dup12 = setc("disposition"," Successful"); + + var dup13 = setc("dclass_counter1_string"," Logon Attempt"); + + var dup14 = setc("eventcategory","1204000000"); + + var dup15 = date_time({ + dest: "event_time", + args: ["fld20"], + fmts: [ + [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup16 = setc("eventcategory","1605000000"); + + var dup17 = setc("eventcategory","1612000000"); + + var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}: [%{messageid}]%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": ["), + field("messageid"), + constant("]"), + field("p0"), + ], + }), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("p0"), + ], + }), + ])); + + var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{messageid}:%{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(":"), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(" /"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var msg1 = msg("01490502", dup18); + + var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg2 = msg("01490521", part1); + + var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg3 = msg("01490506", part2); + + var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg4 = msg("01490113:01", part3); + + var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg5 = msg("01490113:02", part4); + + var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg6 = msg("01490113:03", part5); + + var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg7 = msg("01490113:04", part6); + + var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg8 = msg("01490113:05", part7); + + var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg9 = msg("01490113:06", part8); + + var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg10 = msg("01490113", part9); + + var select2 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); + + var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); + + var all1 = all_match({ + processors: [ + dup5, + select3, + part12, + ], + on_success: processor_chain([ + setc("eventcategory","1401000000"), + dup2, + dup3, + ]), + }); + + var msg11 = msg("01490010", all1); + + var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ + setc("eventcategory","1501020000"), + dup2, + dup3, + ])); + + var msg12 = msg("01490009", part13); + + var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + ])); + + var msg13 = msg("01490102", part14); + + var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg14 = msg("01490000:02", part15); + + var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg15 = msg("01490000:01", part16); + + var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg16 = msg("01490000", part17); + + var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg17 = msg("01490000:03", part18); + + var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, + ]); + + var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg18 = msg("01490004", part19); + + var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); + + var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); + + var select5 = linear_select([ + part20, + part21, + ]); + + var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); + + var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); + + var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); + + var part25 = match_copy("MESSAGE#18:01490500/3_2", "nwparser.p0", "daddr"); + + var select6 = linear_select([ + part23, + part24, + part25, + ]); + + var all2 = all_match({ + processors: [ + dup5, + select5, + part22, + select6, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg19 = msg("01490500", all2); + + var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg20 = msg("01490005", part26); + + var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg21 = msg("01490006", part27); + + var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg22 = msg("01490007", part28); + + var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg23 = msg("01490008", part29); + + var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg24 = msg("01490514", part30); + + var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg25 = msg("01490505", part31); + + var msg26 = msg("01490501", dup18); + + var msg27 = msg("01490520", dup18); + + var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + setc("eventcategory","1609000000"), + dup2, + dup3, + ])); + + var msg28 = msg("01490142", part32); + + var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ + dup9, + dup2, + dup3, + ])); + + var msg29 = msg("01490504", part33); + + var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ + dup9, + dup2, + dup3, + ])); + + var msg30 = msg("01490538", part34); + + var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg31 = msg("01490107:01", part35); + + var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg32 = msg("01490107", part36); + + var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); + + var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); + + var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match_copy("MESSAGE#32:01490107:02/2", "nwparser.p0", "info"); + + var all3 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup10, + dup2, + dup3, + ]), + }); + + var msg33 = msg("01490107:02", all3); + + var select8 = linear_select([ + msg31, + msg32, + msg33, + ]); + + var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg34 = msg("01490106", part41); + + var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg35 = msg("01490106:01", part42); + + var select9 = linear_select([ + msg34, + msg35, + ]); + + var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg36 = msg("01490128", part43); + + var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ + dup11, + dup2, + setc("dclass_counter1_string","Newly active generation count"), + dup3, + ])); + + var msg37 = msg("01490101", part44); + + var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ + dup11, + dup2, + dup3, + ])); + + var msg38 = msg("01490103", part45); + + var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg39 = msg("01490115", part46); + + var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ + dup8, + dup2, + dup12, + dup13, + dup3, + ])); + + var msg40 = msg("01490017", part47); + + var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ + dup8, + dup2, + setc("disposition"," Failed"), + dup13, + dup3, + ])); + + var msg41 = msg("01490017:01", part48); + + var select10 = linear_select([ + msg40, + msg41, + ]); + + var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg42 = msg("01490013", part49); + + var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ + dup8, + dup2, + dup12, + dup3, + ])); + + var msg43 = msg("01490019", part50); + + var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg44 = msg("01490544", part51); + + var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ + dup8, + dup2, + setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), + dup3, + ])); + + var msg45 = msg("01490511", part52); + + var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ + dup8, + dup2, + setc("disposition","Succeeded"), + dup3, + ])); + + var msg46 = msg("014d0002", part53); + + var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ + dup8, + dup2, + setc("disposition","Failed"), + dup3, + ])); + + var msg47 = msg("014d0002:01", part54); + + var select11 = linear_select([ + msg46, + msg47, + ]); + + var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg48 = msg("01490079", part55); + + var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg49 = msg("01490165", part56); + + var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg50 = msg("01490166", part57); + + var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg51 = msg("01490167", part58); + + var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg52 = msg("01490169", part59); + + var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg53 = msg("0149016a", part60); + + var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg54 = msg("0149016b", part61); + + var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); + + var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); + + var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); + + var select12 = linear_select([ + part63, + part64, + ]); + + var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); + + var all4 = all_match({ + processors: [ + part62, + select12, + part65, + ], + on_success: processor_chain([ + dup14, + dup15, + dup2, + ]), + }); + + var msg55 = msg("ssl_acc", all4); + + var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ + dup14, + dup15, + dup2, + ])); + + var msg56 = msg("ssl_req", part66); + + var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ + dup14, + dup15, + dup2, + ])); + + var msg57 = msg("acc", part67); + + var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg58 = msg("crond", part68); + + var msg59 = msg("crond:01", dup19); + + var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg60 = msg("crond:02", part69); + + var select13 = linear_select([ + msg58, + msg59, + msg60, + ]); + + var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + setc("eventcategory","1207000000"), + dup2, + dup3, + ])); + + var msg61 = msg("sSMTP", part70); + + var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg62 = msg("01420002", part71); + + var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg63 = msg("syslog-ng", part72); + + var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg64 = msg("syslog-ng:01", part73); + + var select14 = linear_select([ + msg63, + msg64, + ]); + + var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg65 = msg("auditd", part74); + + var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg66 = msg("014d0001", part75); + + var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); + + var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); + + var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); + + var select15 = linear_select([ + part77, + part78, + ]); + + var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); + + var all5 = all_match({ + processors: [ + part76, + select15, + part79, + ], + on_success: processor_chain([ + dup6, + dup2, + dup3, + ]), + }); + + var msg67 = msg("014d0001:01", all5); + + var msg68 = msg("014d0001:02", dup20); + + var select16 = linear_select([ + msg66, + msg67, + msg68, + ]); + + var msg69 = msg("014d0044", dup20); + + var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); + + var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9}"); + + var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", "%{saddr}"); + + var select17 = linear_select([ + part81, + part82, + ]); + + var all6 = all_match({ + processors: [ + part80, + select17, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg70 = msg("01490549", all6); + + var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg71 = msg("01490547", part83); + + var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg72 = msg("01490517", part84); + + var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg73 = msg("011f0005", part85); + + var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg74 = msg("014d0048", part86); + + var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg75 = msg("error", part87); + + var msg76 = msg("CROND:03", dup19); + + var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg77 = msg("01260009", part88); + + var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg78 = msg("apmd:04", part89); + + var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg79 = msg("apmd:03", part90); + + var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); + + var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); + + var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", "%{fld8}"); + + var select18 = linear_select([ + part92, + part93, + ]); + + var all7 = all_match({ + processors: [ + part91, + select18, + ], + on_success: processor_chain([ + dup10, + dup2, + dup3, + ]), + }); + + var msg80 = msg("apmd:02", all7); + + var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg81 = msg("apmd", part94); + + var select19 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "011f0005": msg73, + "01260009": msg77, + "01420002": msg62, + "01490000": select4, + "01490004": msg18, + "01490005": msg20, + "01490006": msg21, + "01490007": msg22, + "01490008": msg23, + "01490009": msg12, + "01490010": msg11, + "01490013": msg42, + "01490017": select10, + "01490019": msg43, + "01490079": msg48, + "01490101": msg37, + "01490102": msg13, + "01490103": msg38, + "01490106": select9, + "01490107": select8, + "01490113": select2, + "01490115": msg39, + "01490128": msg36, + "01490142": msg28, + "01490165": msg49, + "01490166": msg50, + "01490167": msg51, + "01490169": msg52, + "0149016a": msg53, + "0149016b": msg54, + "01490500": msg19, + "01490501": msg26, + "01490502": msg1, + "01490504": msg29, + "01490505": msg25, + "01490506": msg3, + "01490511": msg45, + "01490514": msg24, + "01490517": msg72, + "01490520": msg27, + "01490521": msg2, + "01490538": msg30, + "01490544": msg44, + "01490547": msg71, + "01490549": msg70, + "014d0001": select16, + "014d0002": select11, + "014d0044": msg69, + "CROND": msg76, + "Rule": msg74, + "acc": msg57, + "apmd": select19, + "auditd": msg65, + "crond": select13, + "error": msg75, + "sSMTP": msg61, + "ssl_acc": msg55, + "ssl_req": msg56, + "syslog-ng": select14, + }), + ]); + + var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + + var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup6, + dup2, + dup3, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/udp.yml.hbs b/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..221da381fa --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/agent/stream/udp.yml.hbs @@ -0,0 +1,3737 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +fields_under_root: true +fields: + observer: + vendor: "F5" + product: "Big-IP" + type: "Access" +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + + var dup6 = setc("eventcategory","1801000000"); + + var dup7 = setc("eventcategory","1801010000"); + + var dup8 = setc("eventcategory","1502000000"); + + var dup9 = setc("eventcategory","1805010000"); + + var dup10 = setc("eventcategory","1803000000"); + + var dup11 = setc("eventcategory","1803030000"); + + var dup12 = setc("disposition"," Successful"); + + var dup13 = setc("dclass_counter1_string"," Logon Attempt"); + + var dup14 = setc("eventcategory","1204000000"); + + var dup15 = date_time({ + dest: "event_time", + args: ["fld20"], + fmts: [ + [dD,dc("/"),dB,dc("/"),dW,dc(":"),dN,dc(":"),dU,dc(":"),dO], + ], + }); + + var dup16 = setc("eventcategory","1605000000"); + + var dup17 = setc("eventcategory","1612000000"); + + var dup18 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var dup19 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}: %{messageid}: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": "), + field("messageid"), + constant(": "), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}: [%{messageid}]%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(": ["), + field("messageid"), + constant("]"), + field("p0"), + ], + }), + ])); + + var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant("["), + field("hfld3"), + constant("]:"), + field("p0"), + ], + }), + ])); + + var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{messageid}:%{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(":"), + field("p0"), + ], + }), + ])); + + var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hostname->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hdate"), + constant(" "), + field("htime"), + constant(" "), + field("hostname"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant("["), + field("hfld4"), + constant("]: "), + field("messageid"), + constant(" /"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + ]); + + var msg1 = msg("01490502", dup18); + + var part1 = match("MESSAGE#1:01490521", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session statistics - bytes in:%{rbytes}, bytes out: %{sbytes}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg2 = msg("01490521", part1); + + var part2 = match("MESSAGE#2:01490506", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received User-Agent header: %{user_agent}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg3 = msg("01490506", part2); + + var part3 = match("MESSAGE#3:01490113:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.name is %{fqdn}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg4 = msg("01490113:01", part3); + + var part4 = match("MESSAGE#4:01490113:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.port is %{network_port}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg5 = msg("01490113:02", part4); + + var part5 = match("MESSAGE#5:01490113:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.listener.name is %{service}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg6 = msg("01490113:03", part5); + + var part6 = match("MESSAGE#6:01490113:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.server.network.protocol is %{network_service}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg7 = msg("01490113:04", part6); + + var part7 = match("MESSAGE#7:01490113:05", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.agent is %{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg8 = msg("01490113:05", part7); + + var part8 = match("MESSAGE#8:01490113:06", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.user.clientip is %{saddr}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg9 = msg("01490113:06", part8); + + var part9 = match("MESSAGE#9:01490113", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: session.%{info}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg10 = msg("01490113", part9); + + var select2 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + ]); + + var part10 = match("MESSAGE#10:01490010/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: Username '%{p0}"); + + var part11 = match("MESSAGE#10:01490010/1_1", "nwparser.p0", "%{sessionid}: Username '%{p0}"); + + var select3 = linear_select([ + part10, + part11, + ]); + + var part12 = match("MESSAGE#10:01490010/2", "nwparser.p0", "%{username}'"); + + var all1 = all_match({ + processors: [ + dup5, + select3, + part12, + ], + on_success: processor_chain([ + setc("eventcategory","1401000000"), + dup2, + dup3, + ]), + }); + + var msg11 = msg("01490010", all1); + + var part13 = match("MESSAGE#11:01490009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: ACL '%{policyname}' assigned", processor_chain([ + setc("eventcategory","1501020000"), + dup2, + dup3, + ])); + + var msg12 = msg("01490009", part13); + + var part14 = match("MESSAGE#12:01490102", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access policy result: %{result}", processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + ])); + + var msg13 = msg("01490102", part14); + + var part15 = match("MESSAGE#13:01490000:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{authmethod->} authentication for user %{username->} using config %{fld8}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg14 = msg("01490000:02", part15); + + var part16 = match("MESSAGE#14:01490000:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: found HTTP %{resultcode->} in response header", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg15 = msg("01490000:01", part16); + + var part17 = match("MESSAGE#15:01490000", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{filename->} func: \"%{action}\" line: %{fld8->} Msg: %{result}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg16 = msg("01490000", part17); + + var part18 = match("MESSAGE#16:01490000:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{event_description}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg17 = msg("01490000:03", part18); + + var select4 = linear_select([ + msg14, + msg15, + msg16, + msg17, + ]); + + var part19 = match("MESSAGE#17:01490004", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Executed agent '%{application}', return value %{resultcode}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg18 = msg("01490004", part19); + + var part20 = match("MESSAGE#18:01490500/1_0", "nwparser.p0", "%{fld10}:%{fld11}:%{sessionid}: New session from client IP %{p0}"); + + var part21 = match("MESSAGE#18:01490500/1_1", "nwparser.p0", "%{sessionid}: New session from client IP %{p0}"); + + var select5 = linear_select([ + part20, + part21, + ]); + + var part22 = match("MESSAGE#18:01490500/2", "nwparser.p0", "%{saddr->} (ST=%{location_state}/CC=%{location_country}/C=%{location_city}) at VIP %{p0}"); + + var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listener %{fld8->} (Reputation=%{category})"); + + var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); + + var part25 = match_copy("MESSAGE#18:01490500/3_2", "nwparser.p0", "daddr"); + + var select6 = linear_select([ + part23, + part24, + part25, + ]); + + var all2 = all_match({ + processors: [ + dup5, + select5, + part22, + select6, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg19 = msg("01490500", all2); + + var part26 = match("MESSAGE#19:01490005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item %{fld9->} to ending %{fld10}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg20 = msg("01490005", part26); + + var part27 = match("MESSAGE#20:01490006", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{fld8->} from item '%{fld9}' to item '%{fld10}'", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg21 = msg("01490006", part27); + + var part28 = match("MESSAGE#21:01490007", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Session variable '%{change_attribute}' set to %{change_new}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg22 = msg("01490007", part28); + + var part29 = match("MESSAGE#22:01490008", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Connectivity resource %{application->} assigned", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg23 = msg("01490008", part29); + + var part30 = match("MESSAGE#23:01490514", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Access encountered error: %{result}. File: %{filename}, Function: %{action}, Line: %{fld9}", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg24 = msg("01490514", part30); + + var part31 = match("MESSAGE#24:01490505", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg25 = msg("01490505", part31); + + var msg26 = msg("01490501", dup18); + + var msg27 = msg("01490520", dup18); + + var part32 = match("MESSAGE#27:01490142", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + setc("eventcategory","1609000000"), + dup2, + dup3, + ])); + + var msg28 = msg("01490142", part32); + + var part33 = match("MESSAGE#28:01490504", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{fqdn->} can not be resolved.", processor_chain([ + dup9, + dup2, + dup3, + ])); + + var msg29 = msg("01490504", part33); + + var part34 = match("MESSAGE#29:01490538", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{fld8}: Configuration snapshot deleted by Access.", processor_chain([ + dup9, + dup2, + dup3, + ])); + + var msg30 = msg("01490538", part34); + + var part35 = match("MESSAGE#30:01490107:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{fld8}' failed: Clients credentials have been revoked, principal name: %{username}@%{fqdn}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg31 = msg("01490107:01", part35); + + var part36 = match("MESSAGE#31:01490107", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: %{result->} %{fld8}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg32 = msg("01490107", part36); + + var part37 = match("MESSAGE#32:01490107:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: %{p0}"); + + var part38 = match("MESSAGE#32:01490107:02/1_0", "nwparser.p0", "Client '%{fqdn}' not found in Kerberos database, principal name:%{fld10->} %{p0}"); + + var part39 = match("MESSAGE#32:01490107:02/1_1", "nwparser.p0", "%{result->} %{p0}"); + + var select7 = linear_select([ + part38, + part39, + ]); + + var part40 = match_copy("MESSAGE#32:01490107:02/2", "nwparser.p0", "info"); + + var all3 = all_match({ + processors: [ + part37, + select7, + part40, + ], + on_success: processor_chain([ + dup10, + dup2, + dup3, + ]), + }); + + var msg33 = msg("01490107:02", all3); + + var select8 = linear_select([ + msg31, + msg32, + msg33, + ]); + + var part41 = match("MESSAGE#33:01490106", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed in %{action}: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg34 = msg("01490106", part41); + + var part42 = match("MESSAGE#34:01490106:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD module: authentication with '%{username}' failed: Preauthentication failed, principal name: %{fld8}. %{result->} %{fld9}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg35 = msg("01490106:01", part42); + + var select9 = linear_select([ + msg34, + msg35, + ]); + + var part43 = match("MESSAGE#35:01490128", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Webtop %{application->} assigned", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg36 = msg("01490128", part43); + + var part44 = match("MESSAGE#36:01490101", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Access profile: %{fld8->} configuration has been applied. Newly active generation count is: %{dclass_counter1}", processor_chain([ + dup11, + dup2, + setc("dclass_counter1_string","Newly active generation count"), + dup3, + ])); + + var msg37 = msg("01490101", part44); + + var part45 = match("MESSAGE#37:01490103", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Retry Username '%{username}'", processor_chain([ + dup11, + dup2, + dup3, + ])); + + var msg38 = msg("01490103", part45); + + var part46 = match("MESSAGE#38:01490115", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Following rule %{rulename->} from item %{fld9->} to terminalout %{fld10}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg39 = msg("01490115", part46); + + var part47 = match("MESSAGE#39:01490017", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' successful", processor_chain([ + dup8, + dup2, + dup12, + dup13, + dup3, + ])); + + var msg40 = msg("01490017", part47); + + var part48 = match("MESSAGE#41:01490017:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Auth (logon attempt:%{dclass_counter1}): authenticate with '%{username}' failed", processor_chain([ + dup8, + dup2, + setc("disposition"," Failed"), + dup13, + dup3, + ])); + + var msg41 = msg("01490017:01", part48); + + var select10 = linear_select([ + msg40, + msg41, + ]); + + var part49 = match("MESSAGE#40:01490013", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Retrieving AAA server: %{fld8}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg42 = msg("01490013", part49); + + var part50 = match("MESSAGE#42:01490019", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: AD agent: Query: query with '(sAMAccountName=%{username})' successful", processor_chain([ + dup8, + dup2, + dup12, + dup3, + ])); + + var msg43 = msg("01490019", part50); + + var part51 = match("MESSAGE#43:01490544", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Received client info - %{web_referer}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg44 = msg("01490544", part51); + + var part52 = match("MESSAGE#44:01490511", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Initializing Access profile %{fld8->} with max concurrent user sessions limit: %{dclass_counter1}", processor_chain([ + dup8, + dup2, + setc("dclass_counter1_string"," Max Concurrent User Sessions Limit"), + dup3, + ])); + + var msg45 = msg("01490511", part52); + + var part53 = match("MESSAGE#45:014d0002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon succeeded, config %{fld8->} form %{fld9}", processor_chain([ + dup8, + dup2, + setc("disposition","Succeeded"), + dup3, + ])); + + var msg46 = msg("014d0002", part53); + + var part54 = match("MESSAGE#46:014d0002:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: SSOv2 Logon failed, config %{fld8->} form %{fld9}", processor_chain([ + dup8, + dup2, + setc("disposition","Failed"), + dup3, + ])); + + var msg47 = msg("014d0002:01", part54); + + var select11 = linear_select([ + msg46, + msg47, + ]); + + var part55 = match("MESSAGE#47:01490079", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: %{sessionid}: Access policy '%{fld8}' configuration has changed.Access profile '%{fld9}' configuration changes need to be applied for the new configuration", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg48 = msg("01490079", part55); + + var part56 = match("MESSAGE#48:01490165", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Access profile: %{fld8->} initialized with configuration snapshot catalog: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg49 = msg("01490165", part56); + + var part57 = match("MESSAGE#49:01490166", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} retrieved from session db for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg50 = msg("01490166", part57); + + var part58 = match("MESSAGE#50:01490167", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Current snapshot ID: %{fld8->} updated inside session db for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg51 = msg("01490167", part58); + + var part59 = match("MESSAGE#51:01490169", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Snapshot catalog entry: %{fld8->} added for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg52 = msg("01490169", part59); + + var part60 = match("MESSAGE#52:0149016a", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Initiating snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg53 = msg("0149016a", part60); + + var part61 = match("MESSAGE#53:0149016b", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: %{fld7}:%{fld6}: Completed snapshot creation: %{fld8->} for access profile: %{fld9}", processor_chain([ + dup8, + dup2, + dup3, + ])); + + var msg54 = msg("0149016b", part61); + + var part62 = match("MESSAGE#54:ssl_acc/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}] %{saddr->} - %{p0}"); + + var part63 = match("MESSAGE#54:ssl_acc/1_0", "nwparser.p0", "- %{p0}"); + + var part64 = match("MESSAGE#54:ssl_acc/1_1", "nwparser.p0", "%{username->} %{p0}"); + + var select12 = linear_select([ + part63, + part64, + ]); + + var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); + + var all4 = all_match({ + processors: [ + part62, + select12, + part65, + ], + on_success: processor_chain([ + dup14, + dup15, + dup2, + ]), + }); + + var msg55 = msg("ssl_acc", all4); + + var part66 = match("MESSAGE#55:ssl_req", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] %{saddr->} %{protocol->} %{encryption_type->} \"%{url}\" %{rbytes}", processor_chain([ + dup14, + dup15, + dup2, + ])); + + var msg56 = msg("ssl_req", part66); + + var part67 = match("MESSAGE#56:acc", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}: [%{event_type}]%{space}[%{fld20->} %{timezone}] \"%{web_method->} %{url->} %{version}\" %{resultcode->} %{rbytes->} \"%{fld7}\" \"%{user_agent}\"", processor_chain([ + dup14, + dup15, + dup2, + ])); + + var msg57 = msg("acc", part67); + + var part68 = match("MESSAGE#57:crond", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{username}(%{sessionid}): %{action}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg58 = msg("crond", part68); + + var msg59 = msg("crond:01", dup19); + + var part69 = match("MESSAGE#59:crond:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg60 = msg("crond:02", part69); + + var select13 = linear_select([ + msg58, + msg59, + msg60, + ]); + + var part70 = match("MESSAGE#60:sSMTP", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + setc("eventcategory","1207000000"), + dup2, + dup3, + ])); + + var msg61 = msg("sSMTP", part70); + + var part71 = match("MESSAGE#61:01420002", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{fld5}: AUDIT - pid=%{parent_pid->} user=%{username->} folder=%{directory->} module=%{fld6->} status=%{result->} cmd_data=%{info}", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg62 = msg("01420002", part71); + + var part72 = match("MESSAGE#62:syslog-ng", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg63 = msg("syslog-ng", part72); + + var part73 = match("MESSAGE#63:syslog-ng:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}: %{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg64 = msg("syslog-ng:01", part73); + + var select14 = linear_select([ + msg63, + msg64, + ]); + + var part74 = match("MESSAGE#64:auditd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: %{info}", processor_chain([ + dup17, + dup2, + dup3, + ])); + + var msg65 = msg("auditd", part74); + + var part75 = match("MESSAGE#65:014d0001", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ssoMethod: %{authmethod->} usernameSource: %{fld9->} passwordSource: %{fld10->} ntlmdomain: %{c_domain}", processor_chain([ + dup6, + dup2, + dup3, + ])); + + var msg66 = msg("014d0001", part75); + + var part76 = match("MESSAGE#66:014d0001:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: ctx: %{fld9}, %{p0}"); + + var part77 = match("MESSAGE#66:014d0001:01/1_0", "nwparser.p0", "SERVER %{p0}"); + + var part78 = match("MESSAGE#66:014d0001:01/1_1", "nwparser.p0", "CLIENT %{p0}"); + + var select15 = linear_select([ + part77, + part78, + ]); + + var part79 = match("MESSAGE#66:014d0001:01/2", "nwparser.p0", ": %{info}"); + + var all5 = all_match({ + processors: [ + part76, + select15, + part79, + ], + on_success: processor_chain([ + dup6, + dup2, + dup3, + ]), + }); + + var msg67 = msg("014d0001:01", all5); + + var msg68 = msg("014d0001:02", dup20); + + var select16 = linear_select([ + msg66, + msg67, + msg68, + ]); + + var msg69 = msg("014d0044", dup20); + + var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); + + var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9}"); + + var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", "%{saddr}"); + + var select17 = linear_select([ + part81, + part82, + ]); + + var all6 = all_match({ + processors: [ + part80, + select17, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), + }); + + var msg70 = msg("01490549", all6); + + var part83 = match("MESSAGE#70:01490547", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: Access Profile %{rulename}: %{result->} for %{saddr}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg71 = msg("01490547", part83); + + var part84 = match("MESSAGE#71:01490517", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{result}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg72 = msg("01490517", part84); + + var part85 = match("MESSAGE#72:011f0005", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{result->} (Client side: vip=%{url->} profile=%{protocol->} pool=%{fld8->} client_ip=%{saddr})", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg73 = msg("011f0005", part85); + + var part86 = match("MESSAGE#73:014d0048", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7->} %{rulename->} \u003c\u003c%{event_description}>: APM_EVENT=%{action->} | %{username->} | %{fld8->} ***%{result}***", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg74 = msg("014d0048", part86); + + var part87 = match("MESSAGE#74:error", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: [%{fld7}] [client %{saddr}] %{result}: %{url}", processor_chain([ + dup4, + dup2, + dup3, + ])); + + var msg75 = msg("error", part87); + + var msg76 = msg("CROND:03", dup19); + + var part88 = match("MESSAGE#76:01260009", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]:%{fld7}:%{fld6}: Connection error:%{event_description}", processor_chain([ + dup7, + dup2, + dup3, + ])); + + var msg77 = msg("01260009", part88); + + var part89 = match("MESSAGE#77:apmd:04", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: %{fld6->} - Hostname: %{shost->} Type: %{fld7->} Version: %{version->} Platform: %{os->} CPU: %{fld8->} Mode:%{fld9}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg78 = msg("apmd:04", part89); + + var part90 = match("MESSAGE#78:apmd:03", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: parseResponse(): Access-Reject packet from host %{saddr}:%{sport->} %{fld7}", processor_chain([ + dup10, + dup2, + dup3, + ])); + + var msg79 = msg("apmd:03", part90); + + var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]: %{fld4->} /Common/home_agent_tca:Common:%{fld5}: RADIUS module: authentication with '%{username}' failed: %{p0}"); + + var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); + + var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", "%{fld8}"); + + var select18 = linear_select([ + part92, + part93, + ]); + + var all7 = all_match({ + processors: [ + part91, + select18, + ], + on_success: processor_chain([ + dup10, + dup2, + dup3, + ]), + }); + + var msg80 = msg("apmd:02", all7); + + var part94 = match("MESSAGE#80:apmd", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} %{severity->} %{agent}[%{process_id}]:%{info}", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var msg81 = msg("apmd", part94); + + var select19 = linear_select([ + msg78, + msg79, + msg80, + msg81, + ]); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "011f0005": msg73, + "01260009": msg77, + "01420002": msg62, + "01490000": select4, + "01490004": msg18, + "01490005": msg20, + "01490006": msg21, + "01490007": msg22, + "01490008": msg23, + "01490009": msg12, + "01490010": msg11, + "01490013": msg42, + "01490017": select10, + "01490019": msg43, + "01490079": msg48, + "01490101": msg37, + "01490102": msg13, + "01490103": msg38, + "01490106": select9, + "01490107": select8, + "01490113": select2, + "01490115": msg39, + "01490128": msg36, + "01490142": msg28, + "01490165": msg49, + "01490166": msg50, + "01490167": msg51, + "01490169": msg52, + "0149016a": msg53, + "0149016b": msg54, + "01490500": msg19, + "01490501": msg26, + "01490502": msg1, + "01490504": msg29, + "01490505": msg25, + "01490506": msg3, + "01490511": msg45, + "01490514": msg24, + "01490517": msg72, + "01490520": msg27, + "01490521": msg2, + "01490538": msg30, + "01490544": msg44, + "01490547": msg71, + "01490549": msg70, + "014d0001": select16, + "014d0002": select11, + "014d0044": msg69, + "CROND": msg76, + "Rule": msg74, + "acc": msg57, + "apmd": select19, + "auditd": msg65, + "crond": select13, + "error": msg75, + "sSMTP": msg61, + "ssl_acc": msg55, + "ssl_req": msg56, + "syslog-ng": select14, + }), + ]); + + var part95 = match("MESSAGE#10:01490010/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{p0}"); + + var part96 = match("MESSAGE#0:01490502", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: %{event_description}", processor_chain([ + dup1, + dup2, + dup3, + ])); + + var part97 = match("MESSAGE#58:crond:01", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{agent}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ + dup16, + dup2, + dup3, + ])); + + var part98 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{info}", processor_chain([ + dup6, + dup2, + dup3, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/f5/0.11.2/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml b/packages/f5/0.11.2/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..e69a364124 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,92 @@ +--- +description: Pipeline for Big-IP Access Policy Manager + +processors: + - set: + field: ecs.version + value: '8.4.0' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # URL + - uri_parts: + field: url.original + target_field: _temp_.url + ignore_failure: true + if: ctx?.url?.original != null + - script: + lang: painless + description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings + if: ctx?._temp_?.url != null + source: | + for (entry in ctx._temp_.url.entrySet()) { + if (entry != null && entry.getValue() != null) { + if(ctx.url[entry.getKey()] == null) { + ctx.url[entry.getKey()] = entry.getValue(); + } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { + ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; + ctx.url[entry.getKey()].add(entry.getValue()); + } + } + } + - remove: + field: _temp_ + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/f5/0.11.2/data_stream/bigipapm/fields/base-fields.yml b/packages/f5/0.11.2/data_stream/bigipapm/fields/base-fields.yml new file mode 100755 index 0000000000..6735d33f76 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: f5 +- name: event.dataset + type: constant_keyword + description: Event dataset + value: f5.bigipapm +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/f5/0.11.2/data_stream/bigipapm/fields/ecs.yml b/packages/f5/0.11.2/data_stream/bigipapm/fields/ecs.yml new file mode 100755 index 0000000000..9d6453da39 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/fields/ecs.yml @@ -0,0 +1,570 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/f5/0.11.2/data_stream/bigipapm/fields/fields.yml b/packages/f5/0.11.2/data_stream/bigipapm/fields/fields.yml new file mode 100755 index 0000000000..710c87215f --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/fields/fields.yml @@ -0,0 +1,1755 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword + description: Interface name as reported by the system. diff --git a/packages/f5/0.11.2/data_stream/bigipapm/manifest.yml b/packages/f5/0.11.2/data_stream/bigipapm/manifest.yml new file mode 100755 index 0000000000..b8f848a508 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/manifest.yml @@ -0,0 +1,204 @@ +title: Big-IP Access Policy Manager logs +release: experimental +type: logs +streams: + - input: udp + title: Big-IP Access Policy Manager logs + description: Collect Big-IP Access Policy Manager logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - f5-bigipapm + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9526 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Big-IP Access Policy Manager logs + description: Collect Big-IP Access Policy Manager logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - f5-bigipapm + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9526 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Big-IP Access Policy Manager logs + description: Collect Big-IP Access Policy Manager logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/f5-bigipapm.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - f5-bigipapm + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/f5/0.11.2/data_stream/bigipapm/sample_event.json b/packages/f5/0.11.2/data_stream/bigipapm/sample_event.json new file mode 100755 index 0000000000..671fb995a1 --- /dev/null +++ b/packages/f5/0.11.2/data_stream/bigipapm/sample_event.json @@ -0,0 +1,72 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "ad0b46aa-4387-41a6-a7c0-5563752016e6", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "f5.bigipapm", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "code": "01490106", + "dataset": "f5.bigipapm", + "ingested": "2022-01-25T12:21:52Z", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "high", + "source": { + "address": "172.30.0.4:39171" + } + }, + "observer": { + "product": "Big-IP", + "type": "Access", + "vendor": "F5" + }, + "process": { + "pid": 6720 + }, + "related": { + "user": [ + "abo" + ] + }, + "rsa": { + "internal": { + "messageid": "01490106" + }, + "misc": { + "log_session_id": "sequa", + "result": "success", + "severity": "high" + }, + "time": { + "event_time": "2016-01-29T06:09:59.000Z" + } + }, + "tags": [ + "f5-bigipapm", + "forwarded" + ], + "user": { + "name": "abo" + } +} \ No newline at end of file diff --git a/packages/f5/0.11.2/docs/README.md b/packages/f5/0.11.2/docs/README.md new file mode 100755 index 0000000000..a9075fa5d3 --- /dev/null +++ b/packages/f5/0.11.2/docs/README.md @@ -0,0 +1,1587 @@ +# F5 integration + +This integration is for F5 device's logs. It includes the following +datasets for receiving logs over syslog or read from a file: +- `bigipapm` dataset: supports Big-IP Access Policy Manager logs. +- `bigipafm` dataset: supports Big-IP Advanced Firewall Manager logs. + +### Bigipapm + +The `bigipapm` dataset collects Big-IP Access Policy Manager logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + +### Bigipafm + +The `bigipafm` dataset collects Big-IP Advanced Firewall Manager logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location.lat | | double | +| destination.geo.location.lon | | double | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| error.message | Error message. | text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.original | This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | This key is used to capture the directory of the target process or file | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target **VMWARE** only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | Server domain. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | | double | +| source.geo.location.lon | | double | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | + diff --git a/packages/f5/0.11.2/img/logo.svg b/packages/f5/0.11.2/img/logo.svg new file mode 100755 index 0000000000..d985bde962 --- /dev/null +++ b/packages/f5/0.11.2/img/logo.svg @@ -0,0 +1 @@ +Asset 1 \ No newline at end of file diff --git a/packages/f5/0.11.2/manifest.yml b/packages/f5/0.11.2/manifest.yml new file mode 100755 index 0000000000..a0b2da2c8b --- /dev/null +++ b/packages/f5/0.11.2/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: f5 +title: F5 Logs +version: "0.11.2" +description: Collect and parse logs from F5 devices with Elastic Agent. +categories: ["network", "security"] +release: experimental +license: basic +type: integration +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +policy_templates: + - name: F5 + title: F5 logs + description: Collect F5 logs from syslog or a file. + inputs: + - type: udp + title: Collect logs from F5 via UDP + description: Collecting syslog from F5 via UDP + - type: tcp + title: Collect logs from F5 via TCP + description: Collecting syslog from F5 via TCP + - type: logfile + title: Collect logs from F5 via file + description: Collecting syslog from F5 via file. +icons: + - src: /img/logo.svg + title: Big-IP Access Policy Manager logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-external-integrations diff --git a/packages/fim/1.2.3/LICENSE.txt b/packages/fim/1.2.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/fim/1.2.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fim/1.2.3/changelog.yml b/packages/fim/1.2.3/changelog.yml new file mode 100755 index 0000000000..5fab4adbe8 --- /dev/null +++ b/packages/fim/1.2.3/changelog.yml @@ -0,0 +1,36 @@ +# newer versions go on top +- version: "1.2.3" + changes: + - description: Fix path configuration documentation. + type: bugfix + link: https://github.com/elastic/integrations/issues/4370 +- version: "1.2.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4407 +- version: "1.2.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.2.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3865 +- version: "1.1.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.0.0" + changes: + - description: "Make GA and compatible with 8.2" + type: enhancement + link: https://github.com/elastic/integrations/pull/3389 +- version: "0.1.0" + changes: + - description: Initial version + type: enhancement + link: https://github.com/elastic/integrations/pull/3143 diff --git a/packages/fim/1.2.3/data_stream/event/agent/stream/file_integrity.yml.hbs b/packages/fim/1.2.3/data_stream/event/agent/stream/file_integrity.yml.hbs new file mode 100755 index 0000000000..b849d82f35 --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/agent/stream/file_integrity.yml.hbs @@ -0,0 +1,33 @@ +type: audit/file_integrity +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +recursive: {{recursive}} +scan_at_start: {{scan_at_start}} +hash_types: +{{#each hash_types as |hash i|}} + - {{hash}} +{{/each}} +max_file_size: {{max_file_size}} +scan_rate_per_sec: {{scan_rate_per_sec}} +exclude_files: +{{#each exclude_files as |expr i|}} + - {{expr}} +{{/each}} +include_files: +{{#each include_files as |expr i|}} + - {{expr}} +{{/each}} +keep_null: {{keep_null}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/fim/1.2.3/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/fim/1.2.3/data_stream/event/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..f9f424167e --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,10 @@ +--- +description: Pipeline for processing auditd events +processors: + - set: + field: ecs.version + value: '8.4.0' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fim/1.2.3/data_stream/event/fields/agent.yml b/packages/fim/1.2.3/data_stream/event/fields/agent.yml new file mode 100755 index 0000000000..f027c185f4 --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/fields/agent.yml @@ -0,0 +1,193 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/fim/1.2.3/data_stream/event/fields/base-fields.yml b/packages/fim/1.2.3/data_stream/event/fields/base-fields.yml new file mode 100755 index 0000000000..0c26baedb3 --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/fields/base-fields.yml @@ -0,0 +1,25 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: file_integrity +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fim.event +- name: '@timestamp' + type: date + description: Event timestamp. +- name: tags + description: List of keywords used to tag each event. + example: '["production", "env2"]' + ignore_above: 1024 + type: keyword diff --git a/packages/fim/1.2.3/data_stream/event/fields/ecs.yml b/packages/fim/1.2.3/data_stream/event/fields/ecs.yml new file mode 100755 index 0000000000..1a4f8f6ce9 --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/fields/ecs.yml @@ -0,0 +1,251 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + name: file.mime_type + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + normalize: + - array + type: keyword +- description: |- + Length of the process.args array. + This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + name: process.args_count + type: long +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Unique identifier for the group on the system/platform. + name: user.effective.group.id + type: keyword +- description: Name of the group. + name: user.effective.group.name + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/fim/1.2.3/data_stream/event/fields/package-fields.yml b/packages/fim/1.2.3/data_stream/event/fields/package-fields.yml new file mode 100755 index 0000000000..69aaa4e9cc --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/fields/package-fields.yml @@ -0,0 +1,22 @@ +- name: file + type: group + description: File attributes. + fields: + - name: setuid + type: boolean + example: true + description: Set if the file has the `setuid` bit set. Omitted otherwise. + - name: setgid + type: boolean + example: true + description: Set if the file has the `setgid` bit set. Omitted otherwise. + - name: origin + type: keyword + description: > + An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available. + + multi_fields: + - name: text + type: text + description: >- + This is an analyzed field that is useful for full text search on the origin data. diff --git a/packages/fim/1.2.3/data_stream/event/manifest.yml b/packages/fim/1.2.3/data_stream/event/manifest.yml new file mode 100755 index 0000000000..9ae128e183 --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/manifest.yml @@ -0,0 +1,7 @@ +title: "Filesystem events" +type: logs +streams: + - input: audit/file_integrity + title: Filesystem events + description: Collect filesystem events + template_path: file_integrity.yml.hbs diff --git a/packages/fim/1.2.3/data_stream/event/sample_event.json b/packages/fim/1.2.3/data_stream/event/sample_event.json new file mode 100755 index 0000000000..77a47bdb8b --- /dev/null +++ b/packages/fim/1.2.3/data_stream/event/sample_event.json @@ -0,0 +1,64 @@ +{ + "@timestamp": "2022-04-20T09:02:19.365Z", + "agent": { + "ephemeral_id": "5c919e9b-3b1f-4426-b93f-f5705bac73f9", + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "name": "docker-fleet-agent", + "type": "auditbeat", + "version": "8.3.0" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "snapshot": true, + "version": "8.3.0" + }, + "data_stream": { + "dataset": "fim.event", + "namespace": "ep", + "type": "logs" + }, + "event": { + "action": [ + "attributes_modified" + ], + "agent_id_status": "verified", + "category": [ + "file" + ], + "dataset": "fim.event", + "ingested": "2022-04-20T09:02:20Z", + "kind": "event", + "module": "file_integrity", + "type": [ + "change" + ] + }, + "file": { + "ctime": "2022-04-20T09:02:19.361Z", + "gid": "0", + "group": "root", + "hash": { + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + }, + "inode": "56198717", + "mode": "0644", + "mtime": "2022-04-20T09:02:19.361Z", + "owner": "root", + "path": "/tmp/service_logs/done", + "size": 0, + "type": "file", + "uid": "0" + }, + "host": { + "name": "docker-fleet-agent" + }, + "service": { + "type": "file_integrity" + }, + "tags": [ + "fim-event" + ] +} \ No newline at end of file diff --git a/packages/fim/1.2.3/docs/README.md b/packages/fim/1.2.3/docs/README.md new file mode 100755 index 0000000000..92af0803e8 --- /dev/null +++ b/packages/fim/1.2.3/docs/README.md @@ -0,0 +1,207 @@ +# File Integrity Monitoring Integration + +This integration sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes. + +The integration is implemented for Linux, macOS (Darwin), and Windows. + + +| ⚠️ This integration should not be used to monitor paths on network file systems. | +| ---- | + +## How it works + +This integration uses features of the operating system to monitor file changes in realtime. When the integration starts it creates a subscription with the OS to receive notifications of changes to the specified files or directories. Upon receiving notification of a change the integration will read the file’s metadata and then compute a hash of the file’s contents. + +At startup this integration will perform an initial scan of the configured files and directories to generate baseline data for the monitored paths and detect changes since the last time it was run. It uses locally persisted data in order to only send events for new or modified files. + +## Compatibility + +The operating system features that power this feature are as follows: +- **Linux** - inotify is used, and therefore the kernel must have inotify support. Inotify was initially merged into the 2.6.13 Linux kernel. +- **macOS (Darwin)** - Uses the FSEvents API, present since macOS 10.5. This API coalesces multiple changes to a file into a single event. Auditbeat translates this coalesced changes into a meaningful sequence of actions. However, in rare situations the reported events may have a different ordering than what actually happened. +- **Windows** - ReadDirectoryChangesW is used. + +An example event for `event` looks as following: + +```json +{ + "@timestamp": "2022-04-20T09:02:19.365Z", + "agent": { + "ephemeral_id": "5c919e9b-3b1f-4426-b93f-f5705bac73f9", + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "name": "docker-fleet-agent", + "type": "auditbeat", + "version": "8.3.0" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "7e061f66-bf86-41e2-858d-d5cbe22e06b1", + "snapshot": true, + "version": "8.3.0" + }, + "data_stream": { + "dataset": "fim.event", + "namespace": "ep", + "type": "logs" + }, + "event": { + "action": [ + "attributes_modified" + ], + "agent_id_status": "verified", + "category": [ + "file" + ], + "dataset": "fim.event", + "ingested": "2022-04-20T09:02:20Z", + "kind": "event", + "module": "file_integrity", + "type": [ + "change" + ] + }, + "file": { + "ctime": "2022-04-20T09:02:19.361Z", + "gid": "0", + "group": "root", + "hash": { + "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709" + }, + "inode": "56198717", + "mode": "0644", + "mtime": "2022-04-20T09:02:19.361Z", + "owner": "root", + "path": "/tmp/service_logs/done", + "size": 0, + "type": "file", + "uid": "0" + }, + "host": { + "name": "docker-fleet-agent" + }, + "service": { + "type": "file_integrity" + }, + "tags": [ + "fim-event" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.origin | An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available. | keyword | +| file.origin.text | Multi-field of `file.origin`. | text | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.setgid | Set if the file has the `setgid` bit set. Omitted otherwise. | boolean | +| file.setuid | Set if the file has the `setuid` bit set. Omitted otherwise. | boolean | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + diff --git a/packages/fim/1.2.3/img/sample-logo.svg b/packages/fim/1.2.3/img/sample-logo.svg new file mode 100755 index 0000000000..6268dd88f3 --- /dev/null +++ b/packages/fim/1.2.3/img/sample-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/fim/1.2.3/manifest.yml b/packages/fim/1.2.3/manifest.yml new file mode 100755 index 0000000000..118cd30a48 --- /dev/null +++ b/packages/fim/1.2.3/manifest.yml @@ -0,0 +1,136 @@ +format_version: 1.0.0 +name: fim +title: "File Integrity Monitoring" +version: "1.2.3" +license: basic +release: ga +description: "The File Integrity Monitoring integration reports filesystem changes in real time." +type: integration +categories: + - monitoring + - os_system + - security +conditions: + kibana.version: "^8.2.0" +icons: + - src: /img/sample-logo.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: fim + title: File Integrity Monitoring + description: Collect filesystem events + inputs: + - type: audit/file_integrity + title: Collect filesystem events + description: Collecting filesystem events +vars: + - name: paths + type: text + title: Paths to monitor + description: | + Paths (directories or files) to watch. Globs are not supported. The specified + paths should exist when the module is started. Paths should be absolute, + although the file integrity module will attempt to resolve relative path events to + their absolute file path. Symbolic links are resolved at startup. + multi: true + show_user: true + required: true + default: + - /bin + - /usr/bin + - /sbin + - /usr/sbin + - /etc + - /usr/share + - name: recursive + type: bool + title: Recursive monitoring + description: Detect changes to files in subdirectories. + default: false + show_user: true + required: false + - name: scan_at_start + type: bool + title: Scan at start + description: | + Scan over the configured file paths at startup and send events for new or + modified files since the last time the agent was running. + show_user: true + required: false + default: true + - name: hash_types + type: text + title: Hash algorithms + description: | + Hash types to compute when the file changes. Supported types are: + `blake2b_256`, `blake2b_384`, `blake2b_512`, `md5`, `sha1`, `sha224`, `sha256`, `sha384`, + `sha512`, `sha512_224`, `sha512_256`, `sha3_224`, `sha3_256`, `sha3_384`, `sha3_512`, and `xxh64`. + multi: true + show_user: true + required: false + default: + - sha1 + - name: max_file_size + type: text + title: File size limit + description: Limit on the size of files that will be hashed. + show_user: false + required: false + default: 100 MiB + - name: scan_rate_per_sec + type: text + title: Scan rate + description: | + Average scan rate. This throttles the amount of CPU and I/O that will + be consumed at startup while scanning. + show_user: false + required: false + default: 50 MiB + - name: include_files + type: text + title: Include files + description: List of regular expressions used to explicitly include files. + multi: true + required: false + show_user: false + - name: exclude_files + type: text + title: Exclude files + description: | + List of regular expressions used to explicitly include files. When configured, + files will be ignored unless they match one of the patterns. + multi: true + show_user: false + required: false + default: + - '(?i)\.sw[nop]$' + - '~$' + - '/\.git($|/)' + - name: keep_null + type: bool + title: Keep null fields + description: Set to true to publish fields with null values + show_user: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - fim-event + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: | + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. +owner: + github: elastic/security-external-integrations diff --git a/packages/fireeye/1.6.2/LICENSE.txt b/packages/fireeye/1.6.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/fireeye/1.6.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fireeye/1.6.2/changelog.yml b/packages/fireeye/1.6.2/changelog.yml new file mode 100755 index 0000000000..81a8bfcc11 --- /dev/null +++ b/packages/fireeye/1.6.2/changelog.yml @@ -0,0 +1,85 @@ +- version: "1.6.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4407 +- version: "1.6.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.6.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3865 +- version: "1.5.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "1.5.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.4.0" + changes: + - description: Add JA3/JA3S to `related.hash` + type: enhancement + link: https://github.com/elastic/integrations/pull/3440 +- version: "1.3.1" + changes: + - description: Move invalid field value in sample event file + type: bugfix + link: https://github.com/elastic/integrations/pull/3331 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.2.4" + changes: + - description: Move invalid field values + type: bugfix + link: https://github.com/elastic/integrations/pull/3099 +- version: "1.2.3" + changes: + - description: Fix typo in config template for ignoring host enrichment + type: bugfix + link: https://github.com/elastic/integrations/pull/3092 +- version: "1.2.2" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.1" + changes: + - description: Fix field mappings for `dns.id` and `network.iana_number` + type: enhancement + link: https://github.com/elastic/integrations/pull/2892 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2404 +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2225 +- version: "1.0.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1887 diff --git a/packages/fireeye/1.6.2/data_stream/nx/agent/stream/stream.yml.hbs b/packages/fireeye/1.6.2/data_stream/nx/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..2926520e1b --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/agent/stream/stream.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} +- {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.6.2/data_stream/nx/agent/stream/tcp.yml.hbs b/packages/fireeye/1.6.2/data_stream/nx/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..4cd8124d92 --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +fields_under_root: true +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.6.2/data_stream/nx/agent/stream/udp.yml.hbs b/packages/fireeye/1.6.2/data_stream/nx/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..405544b01a --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/agent/stream/udp.yml.hbs @@ -0,0 +1,19 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#each tags as |tag i|}} +- {{tag}} +{{/each}} +fields_under_root: true +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/fireeye/1.6.2/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/1.6.2/data_stream/nx/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..2614c17c2f --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,185 @@ +--- +description: Pipeline for processing FireEye NX logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - set: + field: observer.vendor + value: "Fireeye" + - set: + field: observer.product + value: "NX" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - json: + field: json.rawmsg + target_field: rawmsg + ignore_failure: true + # rename raw fields + - pipeline: + name: '{{ IngestPipeline "renaming-raws" }}' + - date: + field: temp_ts + formats: + - strict_date_optional_time_nanos + - remove: + field: temp_ts + - geoip: + field: destination.address + target_field: destination.geo + ignore_missing: true + - geoip: + field: source.address + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.address + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.address + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - user_agent: + field: user_agent.original + ignore_missing: true + + - append: + field: event.category + value: network + if: "['dns', 'flow', 'tls'].contains(ctx?.event?.type)" + - append: + field: event.category + value: [web, network] + if: ctx?.event?.type == 'http' + - append: + field: event.category + value: [file, network] + if: ctx?.event?.type == 'fileinfo' + - set: + field: event.type + value: [info] + + # + # Normalize protocol names + # + - lowercase: + field: "network.transport" + ignore_missing: true + - lowercase: + field: "network.protocol" + ignore_missing: true + - lowercase: + field: "network.direction" + ignore_missing: true + - lowercase: + field: "network.type" + ignore_missing: true + # + # Populate network.iana_number from network.transport. Also does reverse + # mapping in case network.transport contains the iana_number. + # + - script: + if: "ctx?.network?.transport != null" + lang: painless + params: + icmp: '1' + igmp: '2' + ipv4: '4' + tcp: '6' + egp: '8' + igp: '9' + pup: '12' + udp: '17' + rdp: '27' + irtp: '28' + dccp: '33' + idpr: '35' + ipv6: '41' + ipv6-route: '43' + ipv6-frag: '44' + rsvp: '46' + gre: '47' + esp: '50' + ipv6-icmp: '58' + ipv6-nonxt: '59' + ipv6-opts: '60' + source: > + def net = ctx.network; + def iana = params[net.transport]; + if (iana != null) { + net['iana_number'] = iana; + return; + } + def reverse = new HashMap(); + def[] arr = new def[] { null }; + for (entry in params.entrySet()) { + arr[0] = entry.getValue(); + reverse.put(String.format("%d", arr), entry.getKey()); + } + def trans = reverse[net.transport]; + if (trans != null) { + net['iana_number'] = net.transport; + net['transport'] = trans; + } + - community_id: + target_field: network.community_id + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.hash + value: "{{tls.server.ja3s}}" + if: "ctx?.tls?.server?.ja3s != null" + - append: + field: related.hash + value: "{{tls.client.ja3}}" + if: "ctx?.tls?.client?.ja3 != null" + allow_duplicates: false + - remove: + field: + - rawmsg + - json + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.6.2/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml b/packages/fireeye/1.6.2/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml new file mode 100755 index 0000000000..6009b81d76 --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml @@ -0,0 +1,464 @@ +--- +description: Pipeline for renaming raw fields from incoming event original. +processors: + - rename: + field: rawmsg.timestamp + target_field: temp_ts + ignore_missing: true + - rename: + field: rawmsg.proto + target_field: network.transport + ignore_missing: true + - rename: + field: rawmsg.app_proto + target_field: network.protocol + ignore_missing: true + - rename: + field: rawmsg.flow_id + target_field: fireeye.nx.flow_id + ignore_missing: true + - rename: + field: rawmsg.event_type + target_field: event.type + ignore_missing: true + - rename: + field: rawmsg.src_ip + target_field: source.address + ignore_missing: true + - set: + field: source.ip + copy_from: source.address + ignore_empty_value: true + - rename: + field: rawmsg.src_port + target_field: source.port + ignore_missing: true + - rename: + field: rawmsg.dest_ip + target_field: destination.address + ignore_missing: true + - set: + field: destination.ip + copy_from: destination.address + ignore_empty_value: true + - rename: + field: rawmsg.dest_port + target_field: destination.port + ignore_missing: true + - rename: + field: meta_sip4 + target_field: fireeye.nx.device_ip + ignore_missing: true + - rename: + field: meta_oml + target_field: fireeye.nx.device_oml + ignore_missing: true + - rename: + field: deviceid + target_field: fireeye.nx.deviceid + ignore_missing: true + - rename: + field: meta_cbname + target_field: fireeye.nx.hostname + ignore_missing: true + # flow event type fields + - rename: + field: rawmsg.proto_number + target_field: network.iana_number + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.pkts_toserver + target_field: source.packets + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.pkts_toclient + target_field: destination.packets + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.bytes_toserver + target_field: source.bytes + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.bytes_toclient + target_field: destination.bytes + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.start + target_field: fireeye.nx.flow.starttime + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.end + target_field: fireeye.nx.flow.endtime + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.age + target_field: fireeye.nx.flow.age + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.state + target_field: fireeye.nx.flow.state + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.reason + target_field: fireeye.nx.flow.reason + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.flow.alerted + target_field: fireeye.nx.flow.alerted + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.tcp + target_field: fireeye.nx.tcp + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.icmp_code + target_field: fireeye.nx.flow.icmp_code + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.icmp_type + target_field: fireeye.nx.flow.icmp_type + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.response_icmp_code + target_field: fireeye.nx.flow.response_icmp_code + if: ctx?.event?.type == 'flow' + ignore_missing: true + - rename: + field: rawmsg.response_icmp_type + target_field: fireeye.nx.flow.response_icmp_type + if: ctx?.event?.type == 'flow' + ignore_missing: true + # fileinfo event type fields + - rename: + field: rawmsg.fileinfo.filename + target_field: fireeye.nx.fileinfo.filename + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.magic + target_field: fireeye.nx.fileinfo.magic + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.md5 + target_field: fireeye.nx.fileinfo.md5 + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.size + target_field: fireeye.nx.fileinfo.size + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.state + target_field: fireeye.nx.fileinfo.state + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.fileinfo.stored + target_field: fireeye.nx.fileinfo.stored + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.hostname + target_field: url.domain + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_content_type + target_field: http.request.mime_type + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_method + target_field: http.request.method + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_refer + target_field: http.request.referrer + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.http_user_agent + target_field: user_agent.original + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.length + target_field: http.response.bytes + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.protocol + target_field: http.version + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.status + target_field: http.response.status_code + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.http.url + target_field: url.path + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'fileinfo' + ignore_missing: true + # http event type fields + - rename: + field: rawmsg.http.hostname + target_field: url.domain + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_content_type + target_field: http.request.mime_type + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_method + target_field: http.request.method + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_refer + target_field: http.request.referrer + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_user_agent + target_field: user_agent.original + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.length + target_field: http.response.bytes + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.protocol + target_field: http.version + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.status + target_field: http.response.status_code + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.url + target_field: url.path + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'http' + ignore_missing: true + # http event type fields + - rename: + field: rawmsg.http.hostname + target_field: url.domain + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_content_type + target_field: http.request.mime_type + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_method + target_field: http.request.method + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_refer + target_field: http.request.referrer + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.http_user_agent + target_field: user_agent.original + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.length + target_field: http.response.bytes + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.protocol + target_field: http.version + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.status + target_field: http.response.status_code + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.http.url + target_field: url.path + if: ctx?.event?.type == 'http' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'http' + ignore_missing: true + # dns event type fields + - convert: + field: rawmsg.dns.id + target_field: dns.id + type: string + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rcode + target_field: dns.response_code + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rdata + target_field: dns.resolved_data + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rrname + target_field: dns.question.name + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.rrtype + target_field: dns.question.type + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.ttl + target_field: dns.answers.ttl + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.dns.type + target_field: dns.type + if: ctx?.event?.type == 'dns' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'dns' + ignore_missing: true + # tls event type fields + - rename: + field: rawmsg.tls.client_ciphersuites + target_field: tls.client.ciphersuites + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.client_tls_exts + target_field: tls.client.tls_exts + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.fingerprint + target_field: tls.client.fingerprint + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.issuerdn + target_field: tls.client.issuer + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3.hash + target_field: tls.client.ja3 + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3.string + target_field: tls.client.ja3_string + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3s.hash + target_field: tls.server.ja3s + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.ja3s.string + target_field: tls.server.ja3s_string + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.notbefore + target_field: tls.client.not_before + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.notafter + target_field: tls.client.not_after + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.pubkeylength + target_field: tls.public_keylength + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.server_ciphersuite + target_field: tls.server.ciphersuite + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.server_tls_exts + target_field: tls.server.tls_exts + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.sni + target_field: tls.client.server_name + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.subject + target_field: tls.client.subject + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.version + target_field: tls.version + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.tls.fatal_alert + target_field: fireeye.nx.tls.fetal_alert + if: ctx?.event?.type == 'tls' + ignore_missing: true + - rename: + field: rawmsg.iface + target_field: interface.name + if: ctx?.event?.type == 'tls' + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fireeye/1.6.2/data_stream/nx/fields/agent.yml b/packages/fireeye/1.6.2/data_stream/nx/fields/agent.yml new file mode 100755 index 0000000000..368be73427 --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/fields/agent.yml @@ -0,0 +1,182 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/fireeye/1.6.2/data_stream/nx/fields/base-fields.yml b/packages/fireeye/1.6.2/data_stream/nx/fields/base-fields.yml new file mode 100755 index 0000000000..cdff14cc88 --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: fireeye +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fireeye.nx diff --git a/packages/fireeye/1.6.2/data_stream/nx/fields/ecs.yml b/packages/fireeye/1.6.2/data_stream/nx/fields/ecs.yml new file mode 100755 index 0000000000..aa0e7340e8 --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/fields/ecs.yml @@ -0,0 +1,307 @@ +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Mime type of the body of the request. + This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. + name: http.request.mime_type + type: keyword +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: Interface name as reported by the system. + name: interface.name + type: keyword +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + name: tls.client.ja3 + type: keyword +- description: Date/Time indicating when client certificate is first considered valid. + name: tls.client.not_before + type: date +- description: Date/Time indicating when client certificate is no longer considered valid. + name: tls.client.not_after + type: date +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: Distinguished name of subject of the x.509 certificate presented by the client. + name: tls.client.subject + type: keyword +- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + name: tls.server.ja3s + type: keyword +- description: Numeric part of the version parsed from the original string. + name: tls.version + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword diff --git a/packages/fireeye/1.6.2/data_stream/nx/fields/fields.yml b/packages/fireeye/1.6.2/data_stream/nx/fields/fields.yml new file mode 100755 index 0000000000..8a25bb461f --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/fields/fields.yml @@ -0,0 +1,108 @@ +- name: fireeye.nx + type: group + fields: + - name: flow_id + type: long + description: Flow ID of the event. + - name: flow + type: group + fields: + - name: age + type: long + description: Flow age. + - name: alerted + type: boolean + description: Flow alerted or not. + - name: endtime + type: date + description: Flow endtime. + - name: reason + type: keyword + description: Flow reason. + - name: starttime + type: date + description: Flow start time. + - name: state + type: keyword + description: Flow state. + - name: tcp + type: group + fields: + - name: ack + type: boolean + description: TCP acknowledgement. + - name: psh + type: boolean + description: TCP PSH. + - name: state + type: keyword + description: TCP connectin state. + - name: syn + type: boolean + description: TCP SYN. + - name: tcp_flags + type: keyword + description: TCP flags. + - name: tcp_flags_tc + type: keyword + description: TCP flags. + - name: tcp_flags_ts + type: keyword + description: TCP flags. + - name: fileinfo + type: group + fields: + - name: filename + type: keyword + description: File name. + - name: magic + type: keyword + description: Fileinfo magic. + - name: md5 + type: keyword + description: File hash. + - name: size + type: long + description: File size. + - name: state + type: keyword + description: File state. + - name: stored + type: boolean + description: File stored or not. +- name: tls + type: group + fields: + - name: client + type: group + fields: + - name: ciphersuites + type: array + description: TLS cipher suites by client. + - name: fingerprint + type: keyword + description: TLS fingerprint. + - name: ja3_string + type: keyword + description: A hash that identifies clients based on how they perform an SSL/TLS handshake. + - name: tls_exts + type: array + description: TLS extensions set by client. + - name: server + type: group + fields: + - name: ciphersuite + type: array + description: TLS cipher suites by server. + - name: ja3s_string + type: keyword + description: A hash that identifies servers based on how they perform an SSL/TLS handshake. + - name: tls_exts + type: array + description: TLS extensions set by server. + - name: public_keylength + type: long + description: TLS public key length. +- name: log.source.address + type: keyword + description: Logs Source Raw address. diff --git a/packages/fireeye/1.6.2/data_stream/nx/manifest.yml b/packages/fireeye/1.6.2/data_stream/nx/manifest.yml new file mode 100755 index 0000000000..c52d2799be --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/manifest.yml @@ -0,0 +1,149 @@ +title: Fireeye NX +type: logs +streams: + - input: logfile + template_path: stream.yml.hbs + title: Fireeye NX logs + description: Collect fireye nx logs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/fireeye-nx* + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fireeye-nx + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + multi: false + required: false + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: udp + title: Fireeye NX logs + description: Collect Fireeye NX logs using udp input + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fireeye-nx + - forwarded + - name: udp_host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 9523 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + multi: false + required: false + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Fireeye NX logs + description: Collect Fireeye NX logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fireeye-nx + - forwarded + - name: tcp_host + type: text + title: TCP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: TCP port to listen on + multi: false + required: true + show_user: true + default: 9523 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + multi: false + required: false + show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fireeye/1.6.2/data_stream/nx/sample_event.json b/packages/fireeye/1.6.2/data_stream/nx/sample_event.json new file mode 100755 index 0000000000..82e546ae4e --- /dev/null +++ b/packages/fireeye/1.6.2/data_stream/nx/sample_event.json @@ -0,0 +1,112 @@ +{ + "@timestamp": "2020-09-22T08:34:44.991Z", + "agent": { + "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "fireeye.nx", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "ff02:0000:0000:0000:0000:0000:0000:0001", + "bytes": 0, + "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", + "packets": 0, + "port": 10001 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "fireeye.nx", + "ingested": "2022-05-12T06:20:01Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "fireeye": { + "nx": { + "flow": { + "age": 0, + "alerted": false, + "endtime": "2020-09-22T08:34:12.761348+0000", + "reason": "timeout", + "starttime": "2020-09-22T08:34:12.761326+0000", + "state": "new" + }, + "flow_id": 721570461162990 + } + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.16.7" + ], + "mac": [ + "02:42:c0:a8:10:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/fireeye-nx.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] + }, + "source": { + "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "bytes": 1680, + "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "packets": 8, + "port": 45944 + }, + "tags": [ + "fireeye-nx" + ] +} \ No newline at end of file diff --git a/packages/fireeye/1.6.2/docs/README.md b/packages/fireeye/1.6.2/docs/README.md new file mode 100755 index 0000000000..1ff07b8299 --- /dev/null +++ b/packages/fireeye/1.6.2/docs/README.md @@ -0,0 +1,287 @@ +# FireEye Integration + +This integration periodically fetches logs from [FireEye Network Security](https://www.fireeye.com/products/network-security.html) devices. + +## Compatibility + +The FireEye `nx` integration has been developed against FireEye Network Security 9.0.0.916432 but is expected to work with other versions. + +## Logs + +### NX + +The `nx` integration ingests network security logs from FireEye NX through TCP/UDP and file. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| fireeye.nx.fileinfo.filename | File name. | keyword | +| fireeye.nx.fileinfo.magic | Fileinfo magic. | keyword | +| fireeye.nx.fileinfo.md5 | File hash. | keyword | +| fireeye.nx.fileinfo.size | File size. | long | +| fireeye.nx.fileinfo.state | File state. | keyword | +| fireeye.nx.fileinfo.stored | File stored or not. | boolean | +| fireeye.nx.flow.age | Flow age. | long | +| fireeye.nx.flow.alerted | Flow alerted or not. | boolean | +| fireeye.nx.flow.endtime | Flow endtime. | date | +| fireeye.nx.flow.reason | Flow reason. | keyword | +| fireeye.nx.flow.starttime | Flow start time. | date | +| fireeye.nx.flow.state | Flow state. | keyword | +| fireeye.nx.flow_id | Flow ID of the event. | long | +| fireeye.nx.tcp.ack | TCP acknowledgement. | boolean | +| fireeye.nx.tcp.psh | TCP PSH. | boolean | +| fireeye.nx.tcp.state | TCP connectin state. | keyword | +| fireeye.nx.tcp.syn | TCP SYN. | boolean | +| fireeye.nx.tcp.tcp_flags | TCP flags. | keyword | +| fireeye.nx.tcp.tcp_flags_tc | TCP flags. | keyword | +| fireeye.nx.tcp.tcp_flags_ts | TCP flags. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| log.source.address | Logs Source Raw address. | keyword | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| tls.client.ciphersuites | TLS cipher suites by client. | array | +| tls.client.fingerprint | TLS fingerprint. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.ja3_string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | +| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | +| tls.client.tls_exts | TLS extensions set by client. | array | +| tls.public_keylength | TLS public key length. | long | +| tls.server.ciphersuite | TLS cipher suites by server. | array | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.ja3s_string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.tls_exts | TLS extensions set by server. | array | +| tls.version | Numeric part of the version parsed from the original string. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `nx` looks as following: + +```json +{ + "@timestamp": "2020-09-22T08:34:44.991Z", + "agent": { + "ephemeral_id": "9c10aabf-b5f2-46d4-af8d-eccd5dfe3597", + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "data_stream": { + "dataset": "fireeye.nx", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "ff02:0000:0000:0000:0000:0000:0000:0001", + "bytes": 0, + "ip": "ff02:0000:0000:0000:0000:0000:0000:0001", + "packets": 0, + "port": 10001 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "2411eb51-1c57-41d1-962f-cd06ac57198b", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "dataset": "fireeye.nx", + "ingested": "2022-05-12T06:20:01Z", + "original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}", + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "fireeye": { + "nx": { + "flow": { + "age": 0, + "alerted": false, + "endtime": "2020-09-22T08:34:12.761348+0000", + "reason": "timeout", + "starttime": "2020-09-22T08:34:12.761326+0000", + "state": "new" + }, + "flow_id": 721570461162990 + } + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "ip": [ + "192.168.16.7" + ], + "mac": [ + "02:42:c0:a8:10:07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.4 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/fireeye-nx.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=", + "iana_number": "17", + "protocol": "failed", + "transport": "udp" + }, + "observer": { + "product": "NX", + "vendor": "Fireeye" + }, + "related": { + "ip": [ + "fe80:0000:0000:0000:feec:daff:fe31:b706", + "ff02:0000:0000:0000:0000:0000:0000:0001" + ] + }, + "source": { + "address": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "bytes": 1680, + "ip": "fe80:0000:0000:0000:feec:daff:fe31:b706", + "packets": 8, + "port": 45944 + }, + "tags": [ + "fireeye-nx" + ] +} +``` \ No newline at end of file diff --git a/packages/fireeye/1.6.2/img/FireEye-logo.svg b/packages/fireeye/1.6.2/img/FireEye-logo.svg new file mode 100755 index 0000000000..50906981f0 --- /dev/null +++ b/packages/fireeye/1.6.2/img/FireEye-logo.svg @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/fireeye/1.6.2/manifest.yml b/packages/fireeye/1.6.2/manifest.yml new file mode 100755 index 0000000000..67bc3a0e98 --- /dev/null +++ b/packages/fireeye/1.6.2/manifest.yml @@ -0,0 +1,35 @@ +format_version: 1.0.0 +name: fireeye +title: "FireEye Network Security" +version: 1.6.2 +license: basic +description: Collect logs from FireEye NX with Elastic Agent. +type: integration +categories: + - monitoring + - network + - security +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/FireEye-logo.svg + title: Fireeye logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: fireeye + title: Fireeye NX logs + description: Collect Fireeye NX logs + inputs: + - type: logfile + title: Collect Fireeye NX logs from instances + description: Collecting Fireeye NX logs + - type: udp + title: Collect logs from Fireeye NXtwork Security via UDP + description: Collecting Fireeye NX logs via UDP + - type: tcp + title: Collect logs from Fireeye NXtwork Security via TCP + description: Collecting Fireeye NX logs via TCP +owner: + github: elastic/security-external-integrations diff --git a/packages/fortinet_forticlient/1.1.3/LICENSE.txt b/packages/fortinet_forticlient/1.1.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_forticlient/1.1.3/changelog.yml b/packages/fortinet_forticlient/1.1.3/changelog.yml new file mode 100755 index 0000000000..eca1bc5633 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/changelog.yml @@ -0,0 +1,26 @@ +# newer versions go on top +- version: "1.1.3" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4407 +- version: "1.1.2" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "1.1.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.1.0" + changes: + - description: Update Ingest Pipeline with observer Fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3819 +- version: "1.0.0" + changes: + - description: Initial version of Fortinet FortiClient as separate package + type: enhancement + link: https://github.com/elastic/integrations/pull/3268 diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..47e8e2489c --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,2768 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg1 = msg("enter", part1); + + var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg2 = msg("repeated", part2); + + var msg3 = msg("ms-wbt-server", dup9); + + var msg4 = msg("http", dup9); + + var msg5 = msg("https", dup9); + + var msg6 = msg("smtp", dup9); + + var msg7 = msg("pop3", dup9); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), + ]); + + var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..8b125a6554 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,2765 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg1 = msg("enter", part1); + + var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg2 = msg("repeated", part2); + + var msg3 = msg("ms-wbt-server", dup9); + + var msg4 = msg("http", dup9); + + var msg5 = msg("https", dup9); + + var msg6 = msg("smtp", dup9); + + var msg7 = msg("pop3", dup9); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), + ]); + + var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..f0f156a3a8 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,2765 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" proto="), + field("hprotocol"), + constant(" service="), + field("messageid"), + constant(" status="), + field("haction"), + constant(" src="), + field("hsaddr"), + constant(" dst="), + field("hdaddr"), + constant(" src_port="), + field("hsport"), + constant(" dst_port="), + field("hdport"), + constant(" "), + field("p0"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" ("), + field("messageid"), + constant(" "), + field("hfld5"), + constant(" times in last "), + field("hfld6"), + constant(") "), + field("hfld7"), + constant(" "), + field("hfld8"), + constant("::"), + field("p0"), + ], + }), + ])); + + var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hmonth"), + constant(" "), + field("hday"), + constant(" "), + field("htime"), + constant(" "), + field("hhostname"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld5"), + constant("::"), + field("p0"), + ], + }), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + ]); + + var part1 = match("MESSAGE#0:enter", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg1 = msg("enter", part1); + + var part2 = match("MESSAGE#1:repeated", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} (repeated %{fld5->} times in last %{fld6}) enter %{info}", processor_chain([ + dup1, + dup2, + ])); + + var msg2 = msg("repeated", part2); + + var msg3 = msg("ms-wbt-server", dup9); + + var msg4 = msg("http", dup9); + + var msg5 = msg("https", dup9); + + var msg6 = msg("smtp", dup9); + + var msg7 = msg("pop3", dup9); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "enter": msg1, + "http": msg4, + "https": msg5, + "ms-wbt-server": msg3, + "pop3": msg7, + "repeated": msg2, + "smtp": msg6, + }), + ]); + + var part3 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{hostname->} proto=%{protocol->} service=%{network_service->} status=deny src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} server_app=%{fld12->} pid=%{process_id->} app_name=%{fld14->} traff_direct=%{direction->} block_count=%{dclass_counter1->} logon_user=%{username}@%{domain->} msg=%{result}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup2, + dup8, + ])); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_forticlient/1.1.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..ea298cf0e2 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,76 @@ +--- +description: Pipeline for Fortinet FortiClient Endpoint Security +processors: + - set: + field: ecs.version + value: '8.3.0' + - set: + field: observer.vendor + value: Fortinet + - set: + field: observer.product + value: FortiClient + - set: + field: observer.type + value: anti-virus + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/agent.yml b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e0f9e38998 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/agent.yml @@ -0,0 +1,170 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/base-fields.yml b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..aa4e6d0ed0 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: fortinet +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fortinet_forticlient.log +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/ecs.yml b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..86a7d52a55 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/ecs.yml @@ -0,0 +1,556 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/fields.yml b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/manifest.yml b/packages/fortinet_forticlient/1.1.3/data_stream/log/manifest.yml new file mode 100755 index 0000000000..8bd443ba30 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/manifest.yml @@ -0,0 +1,215 @@ +title: Fortinet FortiClient Endpoint Security logs +release: experimental +type: logs +streams: + - input: udp + enabled: true + title: Fortinet FortiClient Endpoint Security logs + description: Collect Fortinet FortiClient Endpoint Security logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-clientendpoint + - fortinet-forticlient + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9509 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + enabled: false + title: Fortinet FortiClient Endpoint Security logs + description: Collect Fortinet FortiClient Endpoint Security logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-clientendpoint + - fortinet-forticlient + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9509 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Fortinet FortiClient Endpoint Security logs + template_path: log.yml.hbs + description: Collect Fortinet FortiClient Endpoint Security logs from file + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: false + default: + - /var/log/fortinet-clientendpoint.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-clientendpoint + - fortinet-forticlient + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fortinet_forticlient/1.1.3/data_stream/log/sample_event.json b/packages/fortinet_forticlient/1.1.3/data_stream/log/sample_event.json new file mode 100755 index 0000000000..be6f45153a --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/data_stream/log/sample_event.json @@ -0,0 +1,125 @@ +{ + "@timestamp": "2021-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet_forticlient.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": [ + "10.102.123.34" + ], + "port": 3994 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "code": "http", + "dataset": "fortinet_forticlient.log", + "ingested": "2022-01-25T12:25:45Z", + "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", + "outcome": "failure", + "timezone": "+00:00" + }, + "host": { + "name": "boNemoe4402.www.invalid" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:54478" + } + }, + "network": { + "direction": "external", + "protocol": "udp" + }, + "observer": { + "product": "FortiClient", + "type": "Anti-Virus", + "vendor": "Fortinet" + }, + "process": { + "pid": 7880 + }, + "related": { + "hosts": [ + "litesse6379.api.domain", + "boNemoe4402.www.invalid" + ], + "ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "user": [ + "sumdo" + ] + }, + "rsa": { + "counters": { + "dclass_c1": 5286, + "dclass_c1_str": "block_count" + }, + "internal": { + "messageid": "http" + }, + "investigations": { + "ec_outcome": "Failure", + "ec_subject": "NetworkComm", + "ec_theme": "ALM" + }, + "misc": { + "action": [ + "deny" + ], + "result": "failure\n" + }, + "network": { + "alias_host": [ + "boNemoe4402.www.invalid" + ], + "domain": "litesse6379.api.domain", + "network_service": "http" + }, + "time": { + "event_time": "2021-01-29T06:09:59.000Z" + } + }, + "server": { + "domain": "litesse6379.api.domain", + "registered_domain": "api.domain", + "subdomain": "litesse6379", + "top_level_domain": "domain" + }, + "source": { + "ip": [ + "10.150.92.220" + ], + "port": 7178 + }, + "tags": [ + "preserve_original_event", + "fortinet-clientendpoint", + "forwarded" + ], + "user": { + "name": "sumdo" + } +} \ No newline at end of file diff --git a/packages/fortinet_forticlient/1.1.3/docs/README.md b/packages/fortinet_forticlient/1.1.3/docs/README.md new file mode 100755 index 0000000000..459afe7812 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/docs/README.md @@ -0,0 +1,981 @@ +# Fortinet FortiClient Integration + +This integration is for Fortinet FortiClient logs sent in the syslog format. + +## Compatibility + +This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. + +### Log + +The `log` dataset collects JFortinet FortiClient logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2021-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "e212d683-d4b4-42ac-ba98-c8414ff62188", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet_forticlient.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "ip": [ + "10.102.123.34" + ], + "port": 3994 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "deny", + "agent_id_status": "verified", + "code": "http", + "dataset": "fortinet_forticlient.log", + "ingested": "2022-01-25T12:25:45Z", + "original": "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n", + "outcome": "failure", + "timezone": "+00:00" + }, + "host": { + "name": "boNemoe4402.www.invalid" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.30.0.4:54478" + } + }, + "network": { + "direction": "external", + "protocol": "udp" + }, + "observer": { + "product": "FortiClient", + "type": "Anti-Virus", + "vendor": "Fortinet" + }, + "process": { + "pid": 7880 + }, + "related": { + "hosts": [ + "litesse6379.api.domain", + "boNemoe4402.www.invalid" + ], + "ip": [ + "10.150.92.220", + "10.102.123.34" + ], + "user": [ + "sumdo" + ] + }, + "rsa": { + "counters": { + "dclass_c1": 5286, + "dclass_c1_str": "block_count" + }, + "internal": { + "messageid": "http" + }, + "investigations": { + "ec_outcome": "Failure", + "ec_subject": "NetworkComm", + "ec_theme": "ALM" + }, + "misc": { + "action": [ + "deny" + ], + "result": "failure\n" + }, + "network": { + "alias_host": [ + "boNemoe4402.www.invalid" + ], + "domain": "litesse6379.api.domain", + "network_service": "http" + }, + "time": { + "event_time": "2021-01-29T06:09:59.000Z" + } + }, + "server": { + "domain": "litesse6379.api.domain", + "registered_domain": "api.domain", + "subdomain": "litesse6379", + "top_level_domain": "domain" + }, + "source": { + "ip": [ + "10.150.92.220" + ], + "port": 7178 + }, + "tags": [ + "preserve_original_event", + "fortinet-clientendpoint", + "forwarded" + ], + "user": { + "name": "sumdo" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/fortinet_forticlient/1.1.3/img/fortinet-logo.svg b/packages/fortinet_forticlient/1.1.3/img/fortinet-logo.svg new file mode 100755 index 0000000000..d6a8448f32 --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/img/fortinet-logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/packages/fortinet_forticlient/1.1.3/manifest.yml b/packages/fortinet_forticlient/1.1.3/manifest.yml new file mode 100755 index 0000000000..e0318fee5a --- /dev/null +++ b/packages/fortinet_forticlient/1.1.3/manifest.yml @@ -0,0 +1,32 @@ +name: fortinet_forticlient +title: Fortinet FortiClient Logs +version: 1.1.3 +release: ga +description: Collect logs from Fortinet FortiClient instances with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security"] +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +icons: + - src: /img/fortinet-logo.svg + title: Fortinet + size: 216x216 + type: image/svg+xml +policy_templates: + - name: fortinet + title: Fortinet FortiClient logs + description: Collect logs from Fortinet FortiClient instances + inputs: + - type: logfile + title: "Collect Fortinet FortiClient logs (input: logfile)" + description: "Collecting logs from Fortinet FortiClient instances (input: logfile)" + - type: tcp + title: "Collect Fortinet FortiClient logs (input: tcp)" + description: "Collecting logs from Fortinet FortiClient instances (input: tcp)" + - type: udp + title: "Collect Fortinet FortiClient logs (input: udp)" + description: "Collecting logs from Fortinet FortiClient instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/fortinet_fortigate/1.2.4/LICENSE.txt b/packages/fortinet_fortigate/1.2.4/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortigate/1.2.4/changelog.yml b/packages/fortinet_fortigate/1.2.4/changelog.yml new file mode 100755 index 0000000000..0a6cd4167f --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/changelog.yml @@ -0,0 +1,44 @@ +# newer versions go on top +- version: "1.2.4" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4407 +- version: "1.2.3" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "1.2.2" + changes: + - description: Ensure network.direction values conform to ECS. + type: bugfix + link: https://github.com/elastic/integrations/issues/4283 +- version: "1.2.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.2.0" + changes: + - description: Update Ingest Pipeline with observer Fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3819 +- version: "1.1.0" + changes: + - description: Add dashboard. + type: enhancement + link: https://github.com/elastic/integrations/pull/3832 + - description: Process syslog priority and facility. + type: enhancement + link: https://github.com/elastic/integrations/pull/3832 +- version: "1.0.1" + changes: + - description: Fix handling of sip events. + type: bugfix + link: https://github.com/elastic/integrations/pull/3901 +- version: "1.0.0" + changes: + - description: Initial version of Fortinet FortiGate as separate package + type: enhancement + link: https://github.com/elastic/integrations/pull/3265 diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..225500de9f --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,47 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if internal_interfaces.length}} +processors: +{{else}} +{{#if external_interfaces.length}} +processors: +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_interfaces.length}} + - add_fields: + target: _temp + fields: + internal_interfaces: + {{#each internal_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if external_interfaces.length}} + - add_fields: + target: _temp + fields: + external_interfaces: + {{#each external_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..6ca58d4fa8 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,49 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if internal_interfaces.length}} +processors: +{{else}} +{{#if external_interfaces.length}} +processors: +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_interfaces.length}} + - add_fields: + target: _temp + fields: + internal_interfaces: + {{#each internal_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if external_interfaces.length}} + - add_fields: + target: _temp + fields: + external_interfaces: + {{#each external_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..852d6d18f0 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,43 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if internal_interfaces.length}} +processors: +{{else}} +{{#if external_interfaces.length}} +processors: +{{else}} +{{#if processors}} +processors: +{{/if}} +{{/if}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} +{{#if internal_interfaces.length}} + - add_fields: + target: _temp + fields: + internal_interfaces: + {{#each internal_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} +{{#if external_interfaces.length}} + - add_fields: + target: _temp + fields: + external_interfaces: + {{#each external_interfaces as |interface i|}} + - {{interface}} + {{/each}} +{{/if}} diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..de33da79fa --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,449 @@ +--- +description: Pipeline for parsing fortinet firewall logs +processors: + - set: + field: ecs.version + value: '8.3.0' + - rename: + field: message + target_field: event.original + - grok: + field: event.original + ecs_compatibility: v1 + patterns: + - "%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$" + - script: + lang: painless + source: | + if (ctx.log?.syslog?.priority != null) { + def severity = new HashMap(); + severity['code'] = ctx.log.syslog.priority&0x7; + ctx.log.syslog['severity'] = severity; + def facility = new HashMap(); + facility['code'] = ctx.log.syslog.priority>>3; + ctx.log.syslog['facility'] = facility; + } + - kv: + field: syslog5424_sd + field_split: " (?=[a-z\\_\\-]+=)" + value_split: "=" + prefix: "fortinet.firewall." + ignore_missing: true + ignore_failure: false + trim_value: '"' + - script: + lang: painless + source: | + def fw = ctx?.fortinet?.firewall; + if (fw != null) { + fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); + } + - set: + field: observer.vendor + value: Fortinet + - set: + field: observer.product + value: Fortigate + - set: + field: observer.type + value: firewall + - set: + field: event.timezone + value: "{{fortinet.firewall.tz}}" + ignore_empty_value: true + - set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" + - set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" + if: "ctx.fortinet?.firewall?.tz == null" + - date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" + - date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + if: "ctx.fortinet?.firewall?.tz == null" + - gsub: + field: fortinet.firewall.eventtime + pattern: "\\d{6}$" + replacement: "" + if: "ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 18" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + timezone: "{{fortinet.firewall.tz}}" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + timezone: "{{fortinet.firewall.tz}}" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + - date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + - rename: + field: fortinet.firewall.devname + target_field: observer.name + ignore_missing: true + - script: + lang: painless + source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" + if: "ctx.fortinet?.firewall?.duration != null" + - rename: + field: fortinet.firewall.devid + target_field: observer.serial_number + ignore_missing: true + - rename: + field: fortinet.firewall.dstintf + target_field: observer.egress.interface.name + ignore_missing: true + if: "ctx.observer?.egress?.interface?.name == null" + - rename: + field: fortinet.firewall.srcintf + target_field: observer.ingress.interface.name + ignore_missing: true + if: "ctx.observer?.ingress?.interface?.name == null" + - rename: + field: fortinet.firewall.dst_int + target_field: observer.egress.interface.name + ignore_missing: true + - rename: + field: fortinet.firewall.src_int + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true + - append: + field: email.cc.address + value: "{{{fortinet.firewall.cc}}}" + if: "ctx?.fortinet?.cc?.address != null" + - set: + field: email.subject + copy_from: fortinet.firewall.subject + if: "ctx?.fortinet?.firewall?.subject != null" + + # Handle interface-based network directionality + - set: + field: network.direction + value: inbound + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && + ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) + - set: + field: network.direction + value: outbound + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && + ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) + - set: + field: network.direction + value: internal + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) && + ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) + - set: + field: network.direction + value: external + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.ingress?.interface?.name != null && + ctx?.observer?.egress?.interface?.name != null && + ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && + ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) + - set: + field: network.direction + value: unknown + if: > + ctx?._temp?.external_interfaces != null && + ctx?._temp?.internal_interfaces != null && + ctx?.observer?.egress?.interface?.name != null && + ctx?.observer?.ingress?.interface?.name != null && + ( + ( + !ctx._temp.external_interfaces.contains(ctx.observer.egress.interface.name) && + !ctx._temp.internal_interfaces.contains(ctx.observer.egress.interface.name) + ) || + ( + !ctx._temp.external_interfaces.contains(ctx.observer.ingress.interface.name) && + !ctx._temp.internal_interfaces.contains(ctx.observer.ingress.interface.name) + ) + ) + - remove: + field: + - _temp.time + - _temp + - syslog5424_sd + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.devid + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "event" }}' + if: "ctx.fortinet?.firewall?.type == 'event'" + - pipeline: + name: '{{ IngestPipeline "traffic" }}' + if: "ctx.fortinet?.firewall?.type == 'traffic'" + - pipeline: + name: '{{ IngestPipeline "utm" }}' + if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" + - convert: + field: fortinet.firewall.quotamax + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.quotaused + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.size + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.disklograte + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.fazlograte + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.lanin + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.lanout + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.setuprate + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.wanin + type: long + ignore_missing: true + - convert: + field: fortinet.firewall.wanout + type: long + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" + - geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true + - script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" + allow_duplicates: false + - append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + allow_duplicates: false + - append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx.destination?.user?.name != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.address}}" + if: "ctx.destination?.address != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.address}}" + if: "ctx.source?.address != null" + allow_duplicates: false + - append: + field: related.hosts + value: "{{dns.question.name}}" + if: "ctx.dns?.question?.name != null" + allow_duplicates: false + + # Fix up network direction field to match ECS-allowable values. + - set: + field: network.direction + value: unknown + if: "ctx.network?.direction != null && !(['ingress', 'egress', 'inbound', 'outbound', 'internal', 'external'].contains(ctx.network.direction))" + + - script: + lang: painless + source: | + def dnsIPs = ctx?.dns?.resolved_ip; + if (dnsIPs != null && dnsIPs instanceof List) { + if (ctx?.related?.ip == null) { + ctx.related.ip = []; + } + for (ip in dnsIPs) { + if (!ctx.related.ip.contains(ip)) { + ctx.related.ip.add(ip); + } + } + } + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/event.yml new file mode 100755 index 0000000000..19f29c3b99 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/event.yml @@ -0,0 +1,267 @@ +--- +description: Pipeline for parsing fortinet firewall logs (event pipeline) +processors: + - set: + field: event.kind + value: event + - set: + field: event.outcome + value: failure + if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" + - set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: + - user + - start + if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: + - user + - end + if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: connection + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" + - append: + field: event.category + value: network + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" + - append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" + - append: + field: event.category + value: host + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" + - append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'update'" + - append: + field: event.category + value: + - host + - malware + if: "ctx.fortinet?.firewall?.subtype == 'update'" + - append: + field: event.category + value: authentication + if: "ctx.fortinet?.firewall?.subtype == 'user'" + - rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true + - rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" + - convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.remport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" + - convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.daddr + target_field: destination.address + ignore_missing: true + - rename: + field: fortinet.firewall.dst_host + target_field: destination.address + ignore_missing: true + if: "ctx.destination?.address == null" + - rename: + field: fortinet.firewall.dst_host + target_field: destination.domain + ignore_missing: true + if: "ctx.destination?.address == null" + - rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true + - convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true + - rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" + - rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true + - rename: + field: fortinet.firewall.source_mac + target_field: source.mac + ignore_missing: true + if: "ctx.source?.mac == null" + - convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.locport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" + - rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + - rename: + field: fortinet.firewall.saddr + target_field: source.address + ignore_missing: true + - rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true + - rename: + field: fortinet.firewall.file + target_field: file.name + ignore_missing: true + - convert: + field: fortinet.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true + - rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + - rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true + - rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + - rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true + - rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + - rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + # Normalize the network direction + - script: + lang: painless + ignore_failure: true + params: + outgoing: outbound + incoming: inbound + source: >- + if (ctx.network?.direction == null) { + return; + } + def k = ctx.network?.direction.toLowerCase(); + def normalized = params.get(k); + if (normalized != null) { + ctx.network.direction = normalized; + return + } + ctx.network.direction = k; + - rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: fortinet.firewall.error_num + target_field: error.code + ignore_missing: true + - rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true + - rename: + field: fortinet.firewall.logdesc + target_field: rule.description + ignore_missing: true + - rename: + field: fortinet.firewall.addr + target_field: fortinet.firewall.addrgrp + if: ctx.rule?.description == 'Dynamic address updated' + ignore_missing: true + - rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true + - convert: + field: fortinet.firewall.sess_duration + type: long + target_field: event.duration + ignore_failure: true + ignore_missing: true + if: "ctx.event?.duration == null" + - convert: + field: fortinet.firewall.mem + type: integer + ignore_failure: true + ignore_missing: true + - remove: + field: + - fortinet.firewall.dstport + - fortinet.firewall.remport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.sentbyte + - fortinet.firewall.srcport + - fortinet.firewall.locport + - fortinet.firewall.filesize + - fortinet.firewall.sess_duration + - fortinet.firewall.dir + - fortinet.firewall.direction + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml new file mode 100755 index 0000000000..90f65f53a0 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/traffic.yml @@ -0,0 +1,218 @@ +--- +description: Pipeline for parsing fortinet firewall logs (traffic pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{fortinet.firewall.action}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" +- append: + field: event.category + value: network +- append: + field: event.type + value: connection +- append: + field: event.type + value: start + if: "ctx.fortinet?.firewall?.action == 'start'" +- append: + field: event.type + value: end + if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" +- append: + field: event.type + value: protocol + if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: allowed + if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: denied + if: "ctx.fortinet?.firewall?.utmaction == 'block'" +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.tranip + target_field: destination.nat.ip + ignore_missing: true +- convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.tranport + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.rcvdpkt + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true +- append: + field: email.to.address + value: "{{fortinet.firewall.dstcollectedemail}}" + if: "ctx?.fortinet?.firewall?.dstcollectedemail != null" +- rename: + field: fortinet.firewall.dstname + target_field: destination.address + ignore_missing: true +- rename: + field: fortinet.firewall.dstunauthuser + target_field: destination.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" +- append: + field: email.from.address + value: "{{fortinet.firewall.collectedemail}}" + if: "ctx?.fortinet?.firewall?.collectedemail != null" +- convert: + field: fortinet.firewall.sentpkt + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.transip + target_field: source.nat.ip + ignore_missing: true +- convert: + field: fortinet.firewall.transport + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true +- rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.comment + target_field: rule.description + ignore_missing: true +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.poluuid + target_field: rule.uuid + ignore_missing: true +- rename: + field: fortinet.firewall.policytype + target_field: rule.ruleset + ignore_missing: true +- rename: + field: fortinet.firewall.policyname + target_field: rule.name + ignore_missing: true +- rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true +- gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- remove: + field: + - fortinet.firewall.dstport + - fortinet.firewall.tranport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.rcvdpkt + - fortinet.firewall.sentbyte + - fortinet.firewall.srcport + - fortinet.firewall.sentpkt + - fortinet.firewall.transport + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/utm.yml new file mode 100755 index 0000000000..d286bdfdfe --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/elasticsearch/ingest_pipeline/utm.yml @@ -0,0 +1,376 @@ +--- +description: Pipeline for parsing fortinet firewall logs (utm pipeline) +processors: + - set: + field: event.kind + value: event + - append: + field: event.type + value: denied + if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" + - append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'dns'" + - append: + field: event.type + value: allowed + if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" + - set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" + - append: + field: event.category + value: network + - rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true + - rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" + - convert: + field: fortinet.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.remport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" + - convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" + - convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.recipient + target_field: email.to.address + ignore_missing: true + - append: + field: email.to.address + value: "{{fortinet.firewall.recipient}}" + if: "ctx?.fortinet?.firewall?.recipient != null" + - rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true + - rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true + - convert: + field: fortinet.firewall.locport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + - convert: + field: fortinet.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" + - convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" + - convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true + - rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" + - rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true + - rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true + - rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" + - append: + field: email.sender.address + value: "{{fortinet.firewall.sender}}" + if: "ctx?.fortinet?.firewall?.sender != null" + - append: + field: email.from.address + value: "{{fortinet.firewall.from}}" + if: "ctx?.fortinet?.firewall?.from != null" + - rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true + - rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true + - rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true + - rename: + field: fortinet.firewall.applist + target_field: rule.ruleset + ignore_missing: true + - rename: + field: fortinet.firewall.catdesc + target_field: rule.category + ignore_missing: true + if: "ctx.rule?.category == null" + - gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true + if: "ctx.rule?.category != null" + - rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + - rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" + # Normalize the network direction + - script: + lang: painless + ignore_failure: true + params: + outgoing: outbound + incoming: inbound + source: >- + if (ctx.network?.direction == null) { + return; + } + def k = ctx.network?.direction.toLowerCase(); + def normalized = params.get(k); + if (normalized != null) { + ctx.network.direction = normalized; + return + } + ctx.network.direction = k; + - rename: + field: fortinet.firewall.error + target_field: event.message + ignore_missing: true + - rename: + field: fortinet.firewall.errorcode + target_field: event.code + ignore_missing: true + - rename: + field: fortinet.firewall.event_id + target_field: event.id + ignore_missing: true + - rename: + field: fortinet.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.event?.id == null" + - rename: + field: fortinet.firewall.eventtype + target_field: event.action + ignore_missing: true + - rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true + - convert: + field: fortinet.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + - rename: + field: fortinet.firewall.filetype + target_field: file.extension + ignore_missing: true + - rename: + field: fortinet.firewall.infectedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" + - rename: + field: fortinet.firewall.infectedfilesize + target_field: file.size + ignore_missing: true + if: "ctx.file?.size == null" + - rename: + field: fortinet.firewall.infectedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" + - rename: + field: fortinet.firewall.matchedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" + - rename: + field: fortinet.firewall.matchedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" + - rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true + - rename: + field: fortinet.firewall.ipaddr + target_field: dns.resolved_ip + ignore_missing: true + - split: + field: dns.resolved_ip + separator: ", " + ignore_missing: true + - rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true + - rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + - rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true + - rename: + field: fortinet.firewall.policy_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + - rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + - rename: + field: fortinet.firewall.profile + target_field: rule.ruleset + ignore_missing: true + if: "ctx.rule?.ruleset == null" + - rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true + - rename: + field: fortinet.firewall.qclass + target_field: dns.question.class + ignore_missing: true + - rename: + field: fortinet.firewall.qname + target_field: dns.question.name + ignore_missing: true + - rename: + field: fortinet.firewall.qtype + target_field: dns.question.type + ignore_missing: true + - rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true + - lowercase: + field: network.protocol + ignore_missing: true + - rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true + - rename: + field: fortinet.firewall.xid + target_field: dns.id + ignore_missing: true + - rename: + field: fortinet.firewall.scertcname + target_field: tls.server.x509.subject.common_name + ignore_missing: true + - rename: + field: fortinet.firewall.scertissuer + target_field: tls.server.issuer + ignore_missing: true + - set: + field: tls.server.x509.issuer.common_name + value: "{{tls.server.issuer}}" + ignore_empty_value: true + - rename: + field: fortinet.firewall.ccertissuer + target_field: tls.client.issuer + ignore_missing: true + - set: + field: tls.client.x509.issuer.common_name + value: "{{tls.client.issuer}}" + ignore_empty_value: true + - rename: + field: fortinet.firewall.sender + target_field: tls.server.issuer + ignore_missing: true + - rename: + field: fortinet.firewall.dtype + target_field: vulnerability.category + ignore_missing: true + - rename: + field: fortinet.firewall.ref + target_field: event.reference + ignore_missing: true + - rename: + field: fortinet.firewall.filehash + target_field: fortinet.file.hash.crc32 + ignore_missing: true + - append: + field: related.hash + value: "{{fortinet.file.hash.crc32}}" + if: "ctx.fortinet?.file?.hash?.crc32 != null" + - remove: + field: + - fortinet.firewall.dst_port + - fortinet.firewall.remport + - fortinet.firewall.dstport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.locport + - fortinet.firewall.src_port + - fortinet.firewall.srcport + - fortinet.firewall.sentbyte + - fortinet.firewall.filesize + - fortinet.firewall.dir + - fortinet.firewall.direction + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/agent.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..8e77444780 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/agent.yml @@ -0,0 +1,178 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..e29671260e --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Name of the module this data is coming from. + value: fortinet +- name: event.dataset + type: constant_keyword + description: Name of the dataset. + value: fortinet_fortigate.log +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/beats.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/beats.yml new file mode 100755 index 0000000000..05a6db4740 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/beats.yml @@ -0,0 +1,15 @@ +- description: Type of Filebeat input. + name: input.type + type: keyword +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset + type: long +- description: Path to the log file. + name: log.file.path + type: keyword +- description: Log message optimized for viewing in a log viewer. + name: event.message + type: text diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/ecs.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..4d5b358960 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/ecs.yml @@ -0,0 +1,476 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: User email address. + name: destination.user.email + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + normalize: + - array + type: ip +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: The email address of CC recipient + name: email.cc.address + normalize: + - array + type: keyword +- description: The email address of the sender, typically from the RFC 5322 `From:` header field. + name: email.from.address + normalize: + - array + type: keyword +- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. + name: email.sender.address + type: keyword +- description: The email address of recipient + name: email.to.address + normalize: + - array + type: keyword +- description: A brief summary of the topic of the message. + multi_fields: + - name: text + type: match_only_text + name: email.subject + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Reference URL linking to additional information about this event. + This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + name: event.reference + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: A categorization value keyword used by the entity using the rule for detection of this event. + name: rule.category + type: keyword +- description: The description of the rule generating the event. + name: rule.description + type: keyword +- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + name: rule.id + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + name: rule.ruleset + type: keyword +- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + name: rule.uuid + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: User email address. + name: source.user.email + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + name: tls.client.issuer + type: keyword +- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + name: tls.client.server_name + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.client.x509.issuer.common_name + normalize: + - array + type: keyword +- description: Subject of the issuer of the x.509 certificate presented by the server. + name: tls.server.issuer + type: keyword +- description: List of common name (CN) of issuing certificate authority. + name: tls.server.x509.issuer.common_name + normalize: + - array + type: keyword +- description: List of common names (CN) of subject. + name: tls.server.x509.subject.common_name + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: |- + The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) + This field must be an array. + name: vulnerability.category + normalize: + - array + type: keyword diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/fields.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..d7fa9c281c --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/fields/fields.yml @@ -0,0 +1,1727 @@ +- name: fortinet + type: group + fields: + - name: file.hash.crc32 + type: keyword + description: | + CRC32 Hash of file + - name: firewall + type: group + release: beta + fields: + - name: acct_stat + type: keyword + description: | + Accounting state (RADIUS) + - name: acktime + type: keyword + description: | + Alarm Acknowledge Time + - name: act + type: keyword + description: | + Action + - name: action + type: keyword + description: | + Status of the session + - name: activity + type: keyword + description: | + HA activity message + - name: addr + type: ip + description: | + IP Address + - name: addr_type + type: keyword + description: | + Address Type + - name: addrgrp + type: keyword + description: | + Address Group + - name: adgroup + type: keyword + description: | + AD Group Name + - name: admin + type: keyword + description: | + Admin User + - name: age + type: integer + description: | + Time in seconds - time passed since last seen + - name: agent + type: keyword + description: | + User agent - eg. agent="Mozilla/5.0" + - name: alarmid + type: integer + description: | + Alarm ID + - name: alert + type: keyword + description: | + Alert + - name: analyticscksum + type: keyword + description: | + The checksum of the file submitted for analytics + - name: analyticssubmit + type: keyword + description: | + The flag for analytics submission + - name: ap + type: keyword + description: | + Access Point + - name: app-type + type: keyword + description: | + Address Type + - name: appact + type: keyword + description: | + The security action from app control + - name: appid + type: integer + description: | + Application ID + - name: applist + type: keyword + description: | + Application Control profile + - name: apprisk + type: keyword + description: | + Application Risk Level + - name: apscan + type: keyword + description: | + The name of the AP, which scanned and detected the rogue AP + - name: apsn + type: keyword + description: | + Access Point + - name: apstatus + type: keyword + description: | + Access Point status + - name: aptype + type: keyword + description: | + Access Point type + - name: assigned + type: ip + description: | + Assigned IP Address + - name: assignip + type: ip + description: | + Assigned IP Address + - name: attachment + type: keyword + description: | + The flag for email attachement + - name: attack + type: keyword + description: | + Attack Name + - name: attackcontext + type: keyword + description: | + The trigger patterns and the packetdata with base64 encoding + - name: attackcontextid + type: keyword + description: | + Attack context id / total + - name: attackid + type: integer + description: | + Attack ID + - name: auditid + type: long + description: | + Audit ID + - name: auditscore + type: keyword + description: | + The Audit Score + - name: audittime + type: long + description: | + The time of the audit + - name: authgrp + type: keyword + description: | + Authorization Group + - name: authid + type: keyword + description: | + Authentication ID + - name: authproto + type: keyword + description: | + The protocol that initiated the authentication + - name: authserver + type: keyword + description: | + Authentication server + - name: bandwidth + type: keyword + description: | + Bandwidth + - name: banned_rule + type: keyword + description: | + NAC quarantine Banned Rule Name + - name: banned_src + type: keyword + description: | + NAC quarantine Banned Source IP + - name: banword + type: keyword + description: | + Banned word + - name: botnetdomain + type: keyword + description: | + Botnet Domain Name + - name: botnetip + type: ip + description: | + Botnet IP Address + - name: bssid + type: keyword + description: | + Service Set ID + - name: call_id + type: keyword + description: | + Caller ID + - name: carrier_ep + type: keyword + description: | + The FortiOS Carrier end-point identification + - name: cat + type: integer + description: | + DNS category ID + - name: category + type: keyword + description: | + Authentication category + - name: cc + type: keyword + description: | + CC Email Address + - name: cdrcontent + type: keyword + description: | + Cdrcontent + - name: centralnatid + type: integer + description: | + Central NAT ID + - name: cert + type: keyword + description: | + Certificate + - name: cert-type + type: keyword + description: | + Certificate type + - name: certhash + type: keyword + description: | + Certificate hash + - name: cfgattr + type: keyword + description: | + Configuration attribute + - name: cfgobj + type: keyword + description: | + Configuration object + - name: cfgpath + type: keyword + description: | + Configuration path + - name: cfgtid + type: keyword + description: | + Configuration transaction ID + - name: cfgtxpower + type: integer + description: | + Configuration TX power + - name: channel + type: integer + description: | + Wireless Channel + - name: channeltype + type: keyword + description: | + SSH channel type + - name: chassisid + type: integer + description: | + Chassis ID + - name: checksum + type: keyword + description: | + The checksum of the scanned file + - name: chgheaders + type: keyword + description: | + HTTP Headers + - name: cldobjid + type: keyword + description: | + Connector object ID + - name: client_addr + type: keyword + description: | + Wifi client address + - name: cloudaction + type: keyword + description: | + Cloud Action + - name: clouduser + type: keyword + description: | + Cloud User + - name: column + type: integer + description: | + VOIP Column + - name: command + type: keyword + description: | + CLI Command + - name: community + type: keyword + description: | + SNMP Community + - name: configcountry + type: keyword + description: | + Configuration country + - name: connection_type + type: keyword + description: | + FortiClient Connection Type + - name: conserve + type: keyword + description: | + Flag for conserve mode + - name: constraint + type: keyword + description: | + WAF http protocol restrictions + - name: contentdisarmed + type: keyword + description: | + Email scanned content + - name: contenttype + type: keyword + description: | + Content Type from HTTP header + - name: cookies + type: keyword + description: | + VPN Cookie + - name: count + type: integer + description: | + Counts of action type + - name: countapp + type: integer + description: | + Number of App Ctrl logs associated with the session + - name: countav + type: integer + description: | + Number of AV logs associated with the session + - name: countcifs + type: integer + description: | + Number of CIFS logs associated with the session + - name: countdlp + type: integer + description: | + Number of DLP logs associated with the session + - name: countdns + type: integer + description: | + Number of DNS logs associated with the session + - name: countemail + type: integer + description: | + Number of email logs associated with the session + - name: countff + type: integer + description: | + Number of ff logs associated with the session + - name: countips + type: integer + description: | + Number of IPS logs associated with the session + - name: countssh + type: integer + description: | + Number of SSH logs associated with the session + - name: countssl + type: integer + description: | + Number of SSL logs associated with the session + - name: countwaf + type: integer + description: | + Number of WAF logs associated with the session + - name: countweb + type: integer + description: | + Number of Web filter logs associated with the session + - name: cpu + type: integer + description: | + CPU Usage + - name: craction + type: integer + description: | + Client Reputation Action + - name: criticalcount + type: integer + description: | + Number of critical ratings + - name: crl + type: keyword + description: | + Client Reputation Level + - name: crlevel + type: keyword + description: | + Client Reputation Level + - name: crscore + type: integer + description: | + Some description + - name: cveid + type: keyword + description: | + CVE ID + - name: daemon + type: keyword + description: | + Daemon name + - name: datarange + type: keyword + description: | + Data range for reports + - name: date + type: keyword + description: | + Date + - name: ddnsserver + type: ip + description: | + DDNS server + - name: desc + type: keyword + description: | + Description + - name: detectionmethod + type: keyword + description: | + Detection method + - name: devcategory + type: keyword + description: | + Device category + - name: devintfname + type: keyword + description: | + HA device Interface Name + - name: devtype + type: keyword + description: | + Device type + - name: dhcp_msg + type: keyword + description: | + DHCP Message + - name: dintf + type: keyword + description: | + Destination interface + - name: disk + type: keyword + description: | + Assosciated disk + - name: disklograte + type: long + description: | + Disk logging rate + - name: dlpextra + type: keyword + description: | + DLP extra information + - name: docsource + type: keyword + description: | + DLP fingerprint document source + - name: domainctrlauthstate + type: integer + description: | + CIFS domain auth state + - name: domainctrlauthtype + type: integer + description: | + CIFS domain auth type + - name: domainctrldomain + type: keyword + description: | + CIFS domain auth domain + - name: domainctrlip + type: ip + description: | + CIFS Domain IP + - name: domainctrlname + type: keyword + description: | + CIFS Domain name + - name: domainctrlprotocoltype + type: integer + description: | + CIFS Domain connection protocol + - name: domainctrlusername + type: keyword + description: | + CIFS Domain username + - name: domainfilteridx + type: integer + description: | + Domain filter ID + - name: domainfilterlist + type: keyword + description: | + Domain filter name + - name: ds + type: keyword + description: | + Direction with distribution system + - name: dst_int + type: keyword + description: | + Destination interface + - name: dstintfrole + type: keyword + description: | + Destination interface role + - name: dstcountry + type: keyword + description: | + Destination country + - name: dstdevcategory + type: keyword + description: | + Destination device category + - name: dstdevtype + type: keyword + description: | + Destination device type + - name: dstfamily + type: keyword + description: | + Destination OS family + - name: dsthwvendor + type: keyword + description: | + Destination HW vendor + - name: dsthwversion + type: keyword + description: | + Destination HW version + - name: dstinetsvc + type: keyword + description: | + Destination interface service + - name: dstosname + type: keyword + description: | + Destination OS name + - name: dstosversion + type: keyword + description: | + Destination OS version + - name: dstserver + type: integer + description: | + Destination server + - name: dstssid + type: keyword + description: | + Destination SSID + - name: dstswversion + type: keyword + description: | + Destination software version + - name: dstunauthusersource + type: keyword + description: | + Destination unauthenticated source + - name: dstuuid + type: keyword + description: | + UUID of the Destination IP address + - name: duid + type: keyword + description: | + DHCP UID + - name: eapolcnt + type: integer + description: | + EAPOL packet count + - name: eapoltype + type: keyword + description: | + EAPOL packet type + - name: encrypt + type: integer + description: | + Whether the packet is encrypted or not + - name: encryption + type: keyword + description: | + Encryption method + - name: epoch + type: integer + description: | + Epoch used for locating file + - name: espauth + type: keyword + description: | + ESP Authentication + - name: esptransform + type: keyword + description: | + ESP Transform + - name: exch + type: keyword + description: | + Mail Exchanges from DNS response answer section + - name: exchange + type: keyword + description: | + Mail Exchanges from DNS response answer section + - name: expectedsignature + type: keyword + description: | + Expected SSL signature + - name: expiry + type: keyword + description: | + FortiGuard override expiry timestamp + - name: fams_pause + type: integer + description: | + Fortinet Analysis and Management Service Pause + - name: fazlograte + type: long + description: | + FortiAnalyzer Logging Rate + - name: fctemssn + type: keyword + description: | + FortiClient Endpoint SSN + - name: fctuid + type: keyword + description: | + FortiClient UID + - name: field + type: keyword + description: | + NTP status field + - name: filefilter + type: keyword + description: | + The filter used to identify the affected file + - name: filehashsrc + type: keyword + description: | + Filehash source + - name: filtercat + type: keyword + description: | + DLP filter category + - name: filteridx + type: integer + description: | + DLP filter ID + - name: filtername + type: keyword + description: | + DLP rule name + - name: filtertype + type: keyword + description: | + DLP filter type + - name: fortiguardresp + type: keyword + description: | + Antispam ESP value + - name: forwardedfor + type: keyword + description: | + Email address forwarded + - name: fqdn + type: keyword + description: | + FQDN + - name: frametype + type: keyword + description: | + Wireless frametype + - name: freediskstorage + type: integer + description: | + Free disk integer + - name: from + type: keyword + description: | + From email address + - name: from_vcluster + type: integer + description: | + Source virtual cluster number + - name: fsaverdict + type: keyword + description: | + FSA verdict + - name: fwserver_name + type: keyword + description: | + Web proxy server name + - name: gateway + type: ip + description: | + Gateway ip address for PPPoE status report + - name: green + type: keyword + description: | + Memory status + - name: groupid + type: integer + description: | + User Group ID + - name: ha-prio + type: integer + description: | + HA Priority + - name: ha_group + type: keyword + description: | + HA Group + - name: ha_role + type: keyword + description: | + HA Role + - name: handshake + type: keyword + description: | + SSL Handshake + - name: hash + type: keyword + description: | + Hash value of downloaded file + - name: hbdn_reason + type: keyword + description: | + Heartbeat down reason + - name: highcount + type: integer + description: | + Highcount fabric summary + - name: host + type: keyword + description: | + Hostname + - name: iaid + type: keyword + description: | + DHCPv6 id + - name: icmpcode + type: keyword + description: | + Destination Port of the ICMP message + - name: icmpid + type: keyword + description: | + Source port of the ICMP message + - name: icmptype + type: keyword + description: | + The type of ICMP message + - name: identifier + type: integer + description: | + Network traffic identifier + - name: in_spi + type: keyword + description: | + IPSEC inbound SPI + - name: incidentserialno + type: integer + description: | + Incident serial number + - name: infected + type: integer + description: | + Infected MMS + - name: infectedfilelevel + type: integer + description: | + DLP infected file level + - name: informationsource + type: keyword + description: | + Information source + - name: init + type: keyword + description: | + IPSEC init stage + - name: initiator + type: keyword + description: | + Original login user name for Fortiguard override + - name: interface + type: keyword + description: | + Related interface + - name: intf + type: keyword + description: | + Related interface + - name: invalidmac + type: keyword + description: | + The MAC address with invalid OUI + - name: ip + type: ip + description: | + Related IP + - name: iptype + type: keyword + description: | + Related IP type + - name: keyword + type: keyword + description: | + Keyword used for search + - name: kind + type: keyword + description: | + VOIP kind + - name: lanin + type: long + description: | + LAN incoming traffic in bytes + - name: lanout + type: long + description: | + LAN outbound traffic in bytes + - name: lease + type: integer + description: | + DHCP lease + - name: license_limit + type: keyword + description: | + Maximum Number of FortiClients for the License + - name: limit + type: integer + description: | + Virtual Domain Resource Limit + - name: line + type: keyword + description: | + VOIP line + - name: live + type: integer + description: | + Time in seconds + - name: local + type: ip + description: | + Local IP for a PPPD Connection + - name: log + type: keyword + description: | + Log message + - name: login + type: keyword + description: | + SSH login + - name: lowcount + type: integer + description: | + Fabric lowcount + - name: mac + type: keyword + description: | + DHCP mac address + - name: malform_data + type: integer + description: | + VOIP malformed data + - name: malform_desc + type: keyword + description: | + VOIP malformed data description + - name: manuf + type: keyword + description: | + Manufacturer name + - name: masterdstmac + type: keyword + description: | + Master mac address for a host with multiple network interfaces + - name: mastersrcmac + type: keyword + description: | + The master MAC address for a host that has multiple network interfaces + - name: mediumcount + type: integer + description: | + Fabric medium count + - name: mem + type: integer + description: | + Memory usage system statistics + - name: meshmode + type: keyword + description: | + Wireless mesh mode + - name: message_type + type: keyword + description: | + VOIP message type + - name: method + type: keyword + description: | + HTTP method + - name: mgmtcnt + type: integer + description: | + The number of unauthorized client flooding managemet frames + - name: mode + type: keyword + description: | + IPSEC mode + - name: module + type: keyword + description: | + PCI-DSS module + - name: monitor-name + type: keyword + description: | + Health Monitor Name + - name: monitor-type + type: keyword + description: | + Health Monitor Type + - name: mpsk + type: keyword + description: | + Wireless MPSK + - name: msgproto + type: keyword + description: | + Message Protocol Number + - name: mtu + type: integer + description: | + Max Transmission Unit Value + - name: name + type: keyword + description: | + Name + - name: nat + type: keyword + description: | + NAT IP Address + - name: netid + type: keyword + description: | + Connector NetID + - name: new_status + type: keyword + description: | + New status on user change + - name: new_value + type: keyword + description: | + New Virtual Domain Name + - name: newchannel + type: integer + description: | + New Channel Number + - name: newchassisid + type: integer + description: | + New Chassis ID + - name: newslot + type: integer + description: | + New Slot Number + - name: nextstat + type: integer + description: | + Time interval in seconds for the next statistics. + - name: nf_type + type: keyword + description: | + Notification Type + - name: noise + type: integer + description: | + Wifi Noise + - name: old_status + type: keyword + description: | + Original Status + - name: old_value + type: keyword + description: | + Original Virtual Domain name + - name: oldchannel + type: integer + description: | + Original channel + - name: oldchassisid + type: integer + description: | + Original Chassis Number + - name: oldslot + type: integer + description: | + Original Slot Number + - name: oldsn + type: keyword + description: | + Old Serial number + - name: oldwprof + type: keyword + description: | + Old Web Filter Profile + - name: onwire + type: keyword + description: | + A flag to indicate if the AP is onwire or not + - name: opercountry + type: keyword + description: | + Operating Country + - name: opertxpower + type: integer + description: | + Operating TX power + - name: osname + type: keyword + description: | + Operating System name + - name: osversion + type: keyword + description: | + Operating System version + - name: out_spi + type: keyword + description: | + Out SPI + - name: outintf + type: keyword + description: | + Out interface + - name: passedcount + type: integer + description: | + Fabric passed count + - name: passwd + type: keyword + description: | + Changed user password information + - name: path + type: keyword + description: | + Path of looped configuration for security fabric + - name: peer + type: keyword + description: | + WAN optimization peer + - name: peer_notif + type: keyword + description: | + VPN peer notification + - name: phase2_name + type: keyword + description: | + VPN phase2 name + - name: phone + type: keyword + description: | + VOIP Phone + - name: pid + type: integer + description: | + Process ID + - name: policytype + type: keyword + description: | + Policy Type + - name: poolname + type: keyword + description: | + IP Pool name + - name: port + type: integer + description: | + Log upload error port + - name: portbegin + type: integer + description: | + IP Pool port number to begin + - name: portend + type: integer + description: | + IP Pool port number to end + - name: probeproto + type: keyword + description: | + Link Monitor Probe Protocol + - name: process + type: keyword + description: | + URL Filter process + - name: processtime + type: integer + description: | + Process time for reports + - name: profile + type: keyword + description: | + Profile Name + - name: profile_vd + type: keyword + description: | + Virtual Domain Name + - name: profilegroup + type: keyword + description: | + Profile Group Name + - name: profiletype + type: keyword + description: | + Profile Type + - name: qtypeval + type: integer + description: | + DNS question type value + - name: quarskip + type: keyword + description: | + Quarantine skip explanation + - name: quotaexceeded + type: keyword + description: | + If quota has been exceeded + - name: quotamax + type: long + description: | + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + - name: quotatype + type: keyword + description: | + Quota type + - name: quotaused + type: long + description: | + Quota used - in seconds if time-based - in bytes if trafficbased) + - name: radioband + type: keyword + description: | + Radio band + - name: radioid + type: integer + description: | + Radio ID + - name: radioidclosest + type: integer + description: | + Radio ID on the AP closest the rogue AP + - name: radioiddetected + type: integer + description: | + Radio ID on the AP which detected the rogue AP + - name: rate + type: keyword + description: | + Wireless rogue rate value + - name: rawdata + type: keyword + description: | + Raw data value + - name: rawdataid + type: keyword + description: | + Raw data ID + - name: rcvddelta + type: keyword + description: | + Received bytes delta + - name: reason + type: keyword + description: | + Alert reason + - name: received + type: integer + description: | + Server key exchange received + - name: receivedsignature + type: keyword + description: | + Server key exchange received signature + - name: red + type: keyword + description: | + Memory information in red + - name: referralurl + type: keyword + description: | + Web filter referralurl + - name: remote + type: ip + description: | + Remote PPP IP address + - name: remotewtptime + type: keyword + description: | + Remote Wifi Radius authentication time + - name: reporttype + type: keyword + description: | + Report type + - name: reqtype + type: keyword + description: | + Request type + - name: request_name + type: keyword + description: | + VOIP request name + - name: result + type: keyword + description: | + VPN phase result + - name: role + type: keyword + description: | + VPN Phase 2 role + - name: rssi + type: integer + description: | + Received signal strength indicator + - name: rsso_key + type: keyword + description: | + RADIUS SSO attribute value + - name: ruledata + type: keyword + description: | + Rule data + - name: ruletype + type: keyword + description: | + Rule type + - name: scanned + type: integer + description: | + Number of Scanned MMSs + - name: scantime + type: long + description: | + Scanned time + - name: scope + type: keyword + description: | + FortiGuard Override Scope + - name: security + type: keyword + description: | + Wireless rogue security + - name: sensitivity + type: keyword + description: | + Sensitivity for document fingerprint + - name: sensor + type: keyword + description: | + NAC Sensor Name + - name: sentdelta + type: keyword + description: | + Sent bytes delta + - name: seq + type: keyword + description: | + Sequence number + - name: serial + type: keyword + description: | + WAN optimisation serial + - name: serialno + type: keyword + description: | + Serial number + - name: server + type: keyword + description: | + AD server FQDN or IP + - name: session_id + type: keyword + description: | + Session ID + - name: sessionid + type: integer + description: | + WAD Session ID + - name: setuprate + type: long + description: | + Session Setup Rate + - name: severity + type: keyword + description: | + Severity + - name: shaperdroprcvdbyte + type: integer + description: | + Received bytes dropped by shaper + - name: shaperdropsentbyte + type: integer + description: | + Sent bytes dropped by shaper + - name: shaperperipdropbyte + type: integer + description: | + Dropped bytes per IP by shaper + - name: shaperperipname + type: keyword + description: | + Traffic shaper name (per IP) + - name: shaperrcvdname + type: keyword + description: | + Traffic shaper name for received traffic + - name: shapersentname + type: keyword + description: | + Traffic shaper name for sent traffic + - name: shapingpolicyid + type: integer + description: | + Traffic shaper policy ID + - name: signal + type: integer + description: | + Wireless rogue API signal + - name: size + type: long + description: | + Email size in bytes + - name: slot + type: integer + description: | + Slot number + - name: sn + type: keyword + description: | + Security fabric serial number + - name: snclosest + type: keyword + description: | + SN of the AP closest to the rogue AP + - name: sndetected + type: keyword + description: | + SN of the AP which detected the rogue AP + - name: snmeshparent + type: keyword + description: | + SN of the mesh parent + - name: spi + type: keyword + description: | + IPSEC SPI + - name: src_int + type: keyword + description: | + Source interface + - name: srcintfrole + type: keyword + description: | + Source interface role + - name: srccountry + type: keyword + description: | + Source country + - name: srcfamily + type: keyword + description: | + Source family + - name: srchwvendor + type: keyword + description: | + Source hardware vendor + - name: srchwversion + type: keyword + description: | + Source hardware version + - name: srcinetsvc + type: keyword + description: | + Source interface service + - name: srcname + type: keyword + description: | + Source name + - name: srcserver + type: integer + description: | + Source server + - name: srcssid + type: keyword + description: | + Source SSID + - name: srcswversion + type: keyword + description: | + Source software version + - name: srcuuid + type: keyword + description: | + Source UUID + - name: sscname + type: keyword + description: | + SSC name + - name: ssid + type: keyword + description: | + Base Service Set ID + - name: sslaction + type: keyword + description: | + SSL Action + - name: ssllocal + type: keyword + description: | + WAD SSL local + - name: sslremote + type: keyword + description: | + WAD SSL remote + - name: stacount + type: integer + description: | + Number of stations/clients + - name: stage + type: keyword + description: | + IPSEC stage + - name: stamac + type: keyword + description: | + 802.1x station mac + - name: state + type: keyword + description: | + Admin login state + - name: status + type: keyword + description: | + Status + - name: stitch + type: keyword + description: | + Automation stitch triggered + - name: subject + type: keyword + description: | + Email subject + - name: submodule + type: keyword + description: | + Configuration Sub-Module Name + - name: subservice + type: keyword + description: | + AV subservice + - name: subtype + type: keyword + description: | + Log subtype + - name: suspicious + type: integer + description: | + Number of Suspicious MMSs + - name: switchproto + type: keyword + description: | + Protocol change information + - name: sync_status + type: keyword + description: | + The sync status with the master + - name: sync_type + type: keyword + description: | + The sync type with the master + - name: sysuptime + type: keyword + description: | + System uptime + - name: tamac + type: keyword + description: | + the MAC address of Transmitter, if none, then Receiver + - name: threattype + type: keyword + description: | + WIDS threat type + - name: time + type: keyword + description: | + Time of the event + - name: to + type: keyword + description: | + Email to field + - name: to_vcluster + type: integer + description: | + destination virtual cluster number + - name: total + type: integer + description: | + Total memory + - name: totalsession + type: integer + description: | + Total Number of Sessions + - name: trace_id + type: keyword + description: | + Session clash trace ID + - name: trandisp + type: keyword + description: | + NAT translation type + - name: transid + type: integer + description: | + HTTP transaction ID + - name: translationid + type: keyword + description: | + DNS filter transaltion ID + - name: trigger + type: keyword + description: | + Automation stitch trigger + - name: trueclntip + type: ip + description: | + File filter true client IP + - name: tunnelid + type: integer + description: | + IPSEC tunnel ID + - name: tunnelip + type: ip + description: | + IPSEC tunnel IP + - name: tunneltype + type: keyword + description: | + IPSEC tunnel type + - name: type + type: keyword + description: | + Module type + - name: ui + type: keyword + description: | + Admin authentication UI type + - name: unauthusersource + type: keyword + description: | + Unauthenticated user source + - name: unit + type: integer + description: | + Power supply unit + - name: urlfilteridx + type: integer + description: | + URL filter ID + - name: urlfilterlist + type: keyword + description: | + URL filter list + - name: urlsource + type: keyword + description: | + URL filter source + - name: urltype + type: keyword + description: | + URL filter type + - name: used + type: integer + description: | + Number of Used IPs + - name: used_for_type + type: integer + description: | + Connection for the type + - name: utmaction + type: keyword + description: | + Security action performed by UTM + - name: vap + type: keyword + description: | + Virtual AP + - name: vapmode + type: keyword + description: | + Virtual AP mode + - name: vcluster + type: integer + description: | + virtual cluster id + - name: vcluster_member + type: integer + description: | + Virtual cluster member + - name: vcluster_state + type: keyword + description: | + Virtual cluster state + - name: vd + type: keyword + description: | + Virtual Domain Name + - name: vdname + type: keyword + description: | + Virtual Domain Name + - name: vendorurl + type: keyword + description: | + Vulnerability scan vendor name + - name: version + type: keyword + description: | + Version + - name: vip + type: keyword + description: | + Virtual IP + - name: virus + type: keyword + description: | + Virus name + - name: virusid + type: integer + description: | + Virus ID (unique virus identifier) + - name: voip_proto + type: keyword + description: | + VOIP protocol + - name: vpn + type: keyword + description: | + VPN description + - name: vpntunnel + type: keyword + description: | + IPsec Vpn Tunnel Name + - name: vpntype + type: keyword + description: | + The type of the VPN tunnel + - name: vrf + type: integer + description: | + VRF number + - name: vulncat + type: keyword + description: | + Vulnerability Category + - name: vulnid + type: integer + description: | + Vulnerability ID + - name: vulnname + type: keyword + description: | + Vulnerability name + - name: vwlid + type: integer + description: | + VWL ID + - name: vwlquality + type: keyword + description: | + VWL quality + - name: vwlservice + type: keyword + description: | + VWL service + - name: vwpvlanid + type: integer + description: | + VWP VLAN ID + - name: wanin + type: long + description: | + WAN incoming traffic in bytes + - name: wanoptapptype + type: keyword + description: | + WAN Optimization Application type + - name: wanout + type: long + description: | + WAN outgoing traffic in bytes + - name: weakwepiv + type: keyword + description: | + Weak Wep Initiation Vector + - name: xauthgroup + type: keyword + description: | + XAuth Group Name + - name: xauthuser + type: keyword + description: | + XAuth User Name + - name: xid + type: integer + description: | + Wireless X ID diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/manifest.yml b/packages/fortinet_fortigate/1.2.4/data_stream/log/manifest.yml new file mode 100755 index 0000000000..64911c6e36 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/manifest.yml @@ -0,0 +1,192 @@ +type: logs +title: Fortinet FortiGate logs +streams: + - input: tcp + vars: + - name: syslog_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9004 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortigate + - fortinet-firewall + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_connections: 1 + #framing: delimitier + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + template_path: tcp.yml.hbs + title: Fortinet firewall logs (tcp) + description: Collect Fortinet firewall logs using tcp input + - input: udp + vars: + - name: syslog_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9004 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortigate + - fortinet-firewall + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: udp.yml.hbs + title: Fortinet firewall logs (udp) + description: Collect Fortinet firewall logs using udp input + - input: logfile + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: false + show_user: true + default: + - /var/log/fortinet-firewall.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortigate + - fortinet-firewall + - forwarded + - name: internal_interfaces + type: text + title: Internal Interfaces + multi: true + required: false + show_user: false + - name: external_interfaces + type: text + title: External Interfaces + multi: true + required: false + show_user: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Fortinet FortiGate logs (log) + description: Collect Fortinet FortiGate logs using log input diff --git a/packages/fortinet_fortigate/1.2.4/data_stream/log/sample_event.json b/packages/fortinet_fortigate/1.2.4/data_stream/log/sample_event.json new file mode 100755 index 0000000000..8552aba271 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/data_stream/log/sample_event.json @@ -0,0 +1,143 @@ +{ + "@timestamp": "2019-05-15T18:03:36.000Z", + "agent": { + "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", + "hostname": "docker-fleet-agent", + "id": "2164018d-05cd-45b4-979d-4032bdd775f6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "data_stream": { + "dataset": "fortinet_fortigate.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 41690, + "organization": { + "name": "Dailymotion S.A." + } + }, + "geo": { + "continent_name": "Europe", + "country_iso_code": "FR", + "country_name": "France", + "location": { + "lat": 48.8582, + "lon": 2.3387 + } + }, + "ip": "195.8.215.136", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "app-ctrl-all", + "category": [ + "network" + ], + "code": "1059028704", + "dataset": "fortinet_fortigate.log", + "ingested": "2021-06-03T12:38:44.458586716Z", + "kind": "event", + "module": "fortinet", + "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", + "outcome": "success", + "start": "2019-05-16T01:03:35.000Z", + "type": [ + "allowed" + ] + }, + "fortinet": { + "firewall": { + "action": "pass", + "appid": "40568", + "apprisk": "medium", + "dstintfrole": "wan", + "incidentserialno": "1962906680", + "sessionid": "4414", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "type": "utm", + "vd": "root" + } + }, + "input": { + "type": "udp" + }, + "log": { + "level": "information", + "source": { + "address": "192.168.240.4:54617" + } + }, + "message": "Web.Client: HTTPS.BROWSER,", + "network": { + "application": "HTTPS.BROWSER", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp", + "protocol": "https" + }, + "observer": { + "egress": { + "interface": { + "name": "port9" + } + }, + "ingress": { + "interface": { + "name": "port10" + } + }, + "product": "Fortigate", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "10.1.100.22", + "195.8.215.136" + ] + }, + "rule": { + "category": "Web-Client", + "id": "1", + "ruleset": "block-social.media" + }, + "source": { + "ip": "10.1.100.22", + "port": 50798 + }, + "tags": [ + "fortinet-firewall", + "forwarded", + "preserve_original_event" + ], + "tls": { + "server": { + "issuer": "DigiCert SHA2 High Assurance Server CA", + "x509": { + "issuer": { + "common_name": "DigiCert SHA2 High Assurance Server CA" + }, + "subject": { + "common_name": "*.dailymotion.com" + } + } + } + }, + "url": { + "domain": "www.dailymotion.com", + "path": "/" + } +} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.4/docs/README.md b/packages/fortinet_fortigate/1.2.4/docs/README.md new file mode 100755 index 0000000000..db4a079004 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/docs/README.md @@ -0,0 +1,749 @@ +# Fortinet FortiGate Integration + +This integration is for Fortinet FortiGate logs sent in the syslog format. + +## Compatibility + +This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. + +### Log + +The `log` dataset collects JFortinet FortiGate logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2019-05-15T18:03:36.000Z", + "agent": { + "ephemeral_id": "74b27709-c288-4314-b386-659dbc5a62ea", + "hostname": "docker-fleet-agent", + "id": "2164018d-05cd-45b4-979d-4032bdd775f6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.14.0" + }, + "data_stream": { + "dataset": "fortinet_fortigate.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 41690, + "organization": { + "name": "Dailymotion S.A." + } + }, + "geo": { + "continent_name": "Europe", + "country_iso_code": "FR", + "country_name": "France", + "location": { + "lat": 48.8582, + "lon": 2.3387 + } + }, + "ip": "195.8.215.136", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "7cc48d16-ebf0-44b1-9094-fe2082d8f5a4", + "snapshot": true, + "version": "7.14.0" + }, + "event": { + "action": "app-ctrl-all", + "category": [ + "network" + ], + "code": "1059028704", + "dataset": "fortinet_fortigate.log", + "ingested": "2021-06-03T12:38:44.458586716Z", + "kind": "event", + "module": "fortinet", + "original": "\u003c190\u003edate=2019-05-15 time=18:03:36 logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"app-ctrl-all\" level=\"information\" vd=\"root\" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf=\"port10\" srcintfrole=\"lan\" dstintf=\"port9\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" direction=\"outgoing\" policyid=1 sessionid=4414 applist=\"block-social.media\" appcat=\"Web.Client\" app=\"HTTPS.BROWSER\" action=\"pass\" hostname=\"www.dailymotion.com\" incidentserialno=1962906680 url=\"/\" msg=\"Web.Client: HTTPS.BROWSER,\" apprisk=\"medium\" scertcname=\"*.dailymotion.com\" scertissuer=\"DigiCert SHA2 High Assurance Server CA\"\n", + "outcome": "success", + "start": "2019-05-16T01:03:35.000Z", + "type": [ + "allowed" + ] + }, + "fortinet": { + "firewall": { + "action": "pass", + "appid": "40568", + "apprisk": "medium", + "dstintfrole": "wan", + "incidentserialno": "1962906680", + "sessionid": "4414", + "srcintfrole": "lan", + "subtype": "app-ctrl", + "type": "utm", + "vd": "root" + } + }, + "input": { + "type": "udp" + }, + "log": { + "level": "information", + "source": { + "address": "192.168.240.4:54617" + } + }, + "message": "Web.Client: HTTPS.BROWSER,", + "network": { + "application": "HTTPS.BROWSER", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp", + "protocol": "https" + }, + "observer": { + "egress": { + "interface": { + "name": "port9" + } + }, + "ingress": { + "interface": { + "name": "port10" + } + }, + "product": "Fortigate", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "10.1.100.22", + "195.8.215.136" + ] + }, + "rule": { + "category": "Web-Client", + "id": "1", + "ruleset": "block-social.media" + }, + "source": { + "ip": "10.1.100.22", + "port": 50798 + }, + "tags": [ + "fortinet-firewall", + "forwarded", + "preserve_original_event" + ], + "tls": { + "server": { + "issuer": "DigiCert SHA2 High Assurance Server CA", + "x509": { + "issuer": { + "common_name": "DigiCert SHA2 High Assurance Server CA" + }, + "subject": { + "common_name": "*.dailymotion.com" + } + } + } + }, + "url": { + "domain": "www.dailymotion.com", + "path": "/" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.email | User email address. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.cc.address | The email address of CC recipient | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Name of the dataset. | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.message | Log message optimized for viewing in a log viewer. | text | +| event.module | Name of the module this data is coming from. | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | +| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | +| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | +| fortinet.firewall.act | Action | keyword | +| fortinet.firewall.action | Status of the session | keyword | +| fortinet.firewall.activity | HA activity message | keyword | +| fortinet.firewall.addr | IP Address | ip | +| fortinet.firewall.addr_type | Address Type | keyword | +| fortinet.firewall.addrgrp | Address Group | keyword | +| fortinet.firewall.adgroup | AD Group Name | keyword | +| fortinet.firewall.admin | Admin User | keyword | +| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | +| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | +| fortinet.firewall.alarmid | Alarm ID | integer | +| fortinet.firewall.alert | Alert | keyword | +| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | +| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | +| fortinet.firewall.ap | Access Point | keyword | +| fortinet.firewall.app-type | Address Type | keyword | +| fortinet.firewall.appact | The security action from app control | keyword | +| fortinet.firewall.appid | Application ID | integer | +| fortinet.firewall.applist | Application Control profile | keyword | +| fortinet.firewall.apprisk | Application Risk Level | keyword | +| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | +| fortinet.firewall.apsn | Access Point | keyword | +| fortinet.firewall.apstatus | Access Point status | keyword | +| fortinet.firewall.aptype | Access Point type | keyword | +| fortinet.firewall.assigned | Assigned IP Address | ip | +| fortinet.firewall.assignip | Assigned IP Address | ip | +| fortinet.firewall.attachment | The flag for email attachement | keyword | +| fortinet.firewall.attack | Attack Name | keyword | +| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | +| fortinet.firewall.attackcontextid | Attack context id / total | keyword | +| fortinet.firewall.attackid | Attack ID | integer | +| fortinet.firewall.auditid | Audit ID | long | +| fortinet.firewall.auditscore | The Audit Score | keyword | +| fortinet.firewall.audittime | The time of the audit | long | +| fortinet.firewall.authgrp | Authorization Group | keyword | +| fortinet.firewall.authid | Authentication ID | keyword | +| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | +| fortinet.firewall.authserver | Authentication server | keyword | +| fortinet.firewall.bandwidth | Bandwidth | keyword | +| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | +| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | +| fortinet.firewall.banword | Banned word | keyword | +| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | +| fortinet.firewall.botnetip | Botnet IP Address | ip | +| fortinet.firewall.bssid | Service Set ID | keyword | +| fortinet.firewall.call_id | Caller ID | keyword | +| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | +| fortinet.firewall.cat | DNS category ID | integer | +| fortinet.firewall.category | Authentication category | keyword | +| fortinet.firewall.cc | CC Email Address | keyword | +| fortinet.firewall.cdrcontent | Cdrcontent | keyword | +| fortinet.firewall.centralnatid | Central NAT ID | integer | +| fortinet.firewall.cert | Certificate | keyword | +| fortinet.firewall.cert-type | Certificate type | keyword | +| fortinet.firewall.certhash | Certificate hash | keyword | +| fortinet.firewall.cfgattr | Configuration attribute | keyword | +| fortinet.firewall.cfgobj | Configuration object | keyword | +| fortinet.firewall.cfgpath | Configuration path | keyword | +| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | +| fortinet.firewall.cfgtxpower | Configuration TX power | integer | +| fortinet.firewall.channel | Wireless Channel | integer | +| fortinet.firewall.channeltype | SSH channel type | keyword | +| fortinet.firewall.chassisid | Chassis ID | integer | +| fortinet.firewall.checksum | The checksum of the scanned file | keyword | +| fortinet.firewall.chgheaders | HTTP Headers | keyword | +| fortinet.firewall.cldobjid | Connector object ID | keyword | +| fortinet.firewall.client_addr | Wifi client address | keyword | +| fortinet.firewall.cloudaction | Cloud Action | keyword | +| fortinet.firewall.clouduser | Cloud User | keyword | +| fortinet.firewall.column | VOIP Column | integer | +| fortinet.firewall.command | CLI Command | keyword | +| fortinet.firewall.community | SNMP Community | keyword | +| fortinet.firewall.configcountry | Configuration country | keyword | +| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | +| fortinet.firewall.conserve | Flag for conserve mode | keyword | +| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | +| fortinet.firewall.contentdisarmed | Email scanned content | keyword | +| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | +| fortinet.firewall.cookies | VPN Cookie | keyword | +| fortinet.firewall.count | Counts of action type | integer | +| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | +| fortinet.firewall.countav | Number of AV logs associated with the session | integer | +| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | +| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | +| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | +| fortinet.firewall.countemail | Number of email logs associated with the session | integer | +| fortinet.firewall.countff | Number of ff logs associated with the session | integer | +| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | +| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | +| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | +| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | +| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | +| fortinet.firewall.cpu | CPU Usage | integer | +| fortinet.firewall.craction | Client Reputation Action | integer | +| fortinet.firewall.criticalcount | Number of critical ratings | integer | +| fortinet.firewall.crl | Client Reputation Level | keyword | +| fortinet.firewall.crlevel | Client Reputation Level | keyword | +| fortinet.firewall.crscore | Some description | integer | +| fortinet.firewall.cveid | CVE ID | keyword | +| fortinet.firewall.daemon | Daemon name | keyword | +| fortinet.firewall.datarange | Data range for reports | keyword | +| fortinet.firewall.date | Date | keyword | +| fortinet.firewall.ddnsserver | DDNS server | ip | +| fortinet.firewall.desc | Description | keyword | +| fortinet.firewall.detectionmethod | Detection method | keyword | +| fortinet.firewall.devcategory | Device category | keyword | +| fortinet.firewall.devintfname | HA device Interface Name | keyword | +| fortinet.firewall.devtype | Device type | keyword | +| fortinet.firewall.dhcp_msg | DHCP Message | keyword | +| fortinet.firewall.dintf | Destination interface | keyword | +| fortinet.firewall.disk | Assosciated disk | keyword | +| fortinet.firewall.disklograte | Disk logging rate | long | +| fortinet.firewall.dlpextra | DLP extra information | keyword | +| fortinet.firewall.docsource | DLP fingerprint document source | keyword | +| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | +| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | +| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | +| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | +| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | +| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | +| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | +| fortinet.firewall.domainfilteridx | Domain filter ID | integer | +| fortinet.firewall.domainfilterlist | Domain filter name | keyword | +| fortinet.firewall.ds | Direction with distribution system | keyword | +| fortinet.firewall.dst_int | Destination interface | keyword | +| fortinet.firewall.dstcountry | Destination country | keyword | +| fortinet.firewall.dstdevcategory | Destination device category | keyword | +| fortinet.firewall.dstdevtype | Destination device type | keyword | +| fortinet.firewall.dstfamily | Destination OS family | keyword | +| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | +| fortinet.firewall.dsthwversion | Destination HW version | keyword | +| fortinet.firewall.dstinetsvc | Destination interface service | keyword | +| fortinet.firewall.dstintfrole | Destination interface role | keyword | +| fortinet.firewall.dstosname | Destination OS name | keyword | +| fortinet.firewall.dstosversion | Destination OS version | keyword | +| fortinet.firewall.dstserver | Destination server | integer | +| fortinet.firewall.dstssid | Destination SSID | keyword | +| fortinet.firewall.dstswversion | Destination software version | keyword | +| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | +| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | +| fortinet.firewall.duid | DHCP UID | keyword | +| fortinet.firewall.eapolcnt | EAPOL packet count | integer | +| fortinet.firewall.eapoltype | EAPOL packet type | keyword | +| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | +| fortinet.firewall.encryption | Encryption method | keyword | +| fortinet.firewall.epoch | Epoch used for locating file | integer | +| fortinet.firewall.espauth | ESP Authentication | keyword | +| fortinet.firewall.esptransform | ESP Transform | keyword | +| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | +| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | +| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | +| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | +| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | +| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | +| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | +| fortinet.firewall.fctuid | FortiClient UID | keyword | +| fortinet.firewall.field | NTP status field | keyword | +| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | +| fortinet.firewall.filehashsrc | Filehash source | keyword | +| fortinet.firewall.filtercat | DLP filter category | keyword | +| fortinet.firewall.filteridx | DLP filter ID | integer | +| fortinet.firewall.filtername | DLP rule name | keyword | +| fortinet.firewall.filtertype | DLP filter type | keyword | +| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | +| fortinet.firewall.forwardedfor | Email address forwarded | keyword | +| fortinet.firewall.fqdn | FQDN | keyword | +| fortinet.firewall.frametype | Wireless frametype | keyword | +| fortinet.firewall.freediskstorage | Free disk integer | integer | +| fortinet.firewall.from | From email address | keyword | +| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | +| fortinet.firewall.fsaverdict | FSA verdict | keyword | +| fortinet.firewall.fwserver_name | Web proxy server name | keyword | +| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | +| fortinet.firewall.green | Memory status | keyword | +| fortinet.firewall.groupid | User Group ID | integer | +| fortinet.firewall.ha-prio | HA Priority | integer | +| fortinet.firewall.ha_group | HA Group | keyword | +| fortinet.firewall.ha_role | HA Role | keyword | +| fortinet.firewall.handshake | SSL Handshake | keyword | +| fortinet.firewall.hash | Hash value of downloaded file | keyword | +| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | +| fortinet.firewall.highcount | Highcount fabric summary | integer | +| fortinet.firewall.host | Hostname | keyword | +| fortinet.firewall.iaid | DHCPv6 id | keyword | +| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | +| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | +| fortinet.firewall.icmptype | The type of ICMP message | keyword | +| fortinet.firewall.identifier | Network traffic identifier | integer | +| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | +| fortinet.firewall.incidentserialno | Incident serial number | integer | +| fortinet.firewall.infected | Infected MMS | integer | +| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | +| fortinet.firewall.informationsource | Information source | keyword | +| fortinet.firewall.init | IPSEC init stage | keyword | +| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | +| fortinet.firewall.interface | Related interface | keyword | +| fortinet.firewall.intf | Related interface | keyword | +| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | +| fortinet.firewall.ip | Related IP | ip | +| fortinet.firewall.iptype | Related IP type | keyword | +| fortinet.firewall.keyword | Keyword used for search | keyword | +| fortinet.firewall.kind | VOIP kind | keyword | +| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | +| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | +| fortinet.firewall.lease | DHCP lease | integer | +| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | +| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | +| fortinet.firewall.line | VOIP line | keyword | +| fortinet.firewall.live | Time in seconds | integer | +| fortinet.firewall.local | Local IP for a PPPD Connection | ip | +| fortinet.firewall.log | Log message | keyword | +| fortinet.firewall.login | SSH login | keyword | +| fortinet.firewall.lowcount | Fabric lowcount | integer | +| fortinet.firewall.mac | DHCP mac address | keyword | +| fortinet.firewall.malform_data | VOIP malformed data | integer | +| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | +| fortinet.firewall.manuf | Manufacturer name | keyword | +| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | +| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | +| fortinet.firewall.mediumcount | Fabric medium count | integer | +| fortinet.firewall.mem | Memory usage system statistics | integer | +| fortinet.firewall.meshmode | Wireless mesh mode | keyword | +| fortinet.firewall.message_type | VOIP message type | keyword | +| fortinet.firewall.method | HTTP method | keyword | +| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | +| fortinet.firewall.mode | IPSEC mode | keyword | +| fortinet.firewall.module | PCI-DSS module | keyword | +| fortinet.firewall.monitor-name | Health Monitor Name | keyword | +| fortinet.firewall.monitor-type | Health Monitor Type | keyword | +| fortinet.firewall.mpsk | Wireless MPSK | keyword | +| fortinet.firewall.msgproto | Message Protocol Number | keyword | +| fortinet.firewall.mtu | Max Transmission Unit Value | integer | +| fortinet.firewall.name | Name | keyword | +| fortinet.firewall.nat | NAT IP Address | keyword | +| fortinet.firewall.netid | Connector NetID | keyword | +| fortinet.firewall.new_status | New status on user change | keyword | +| fortinet.firewall.new_value | New Virtual Domain Name | keyword | +| fortinet.firewall.newchannel | New Channel Number | integer | +| fortinet.firewall.newchassisid | New Chassis ID | integer | +| fortinet.firewall.newslot | New Slot Number | integer | +| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | +| fortinet.firewall.nf_type | Notification Type | keyword | +| fortinet.firewall.noise | Wifi Noise | integer | +| fortinet.firewall.old_status | Original Status | keyword | +| fortinet.firewall.old_value | Original Virtual Domain name | keyword | +| fortinet.firewall.oldchannel | Original channel | integer | +| fortinet.firewall.oldchassisid | Original Chassis Number | integer | +| fortinet.firewall.oldslot | Original Slot Number | integer | +| fortinet.firewall.oldsn | Old Serial number | keyword | +| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | +| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | +| fortinet.firewall.opercountry | Operating Country | keyword | +| fortinet.firewall.opertxpower | Operating TX power | integer | +| fortinet.firewall.osname | Operating System name | keyword | +| fortinet.firewall.osversion | Operating System version | keyword | +| fortinet.firewall.out_spi | Out SPI | keyword | +| fortinet.firewall.outintf | Out interface | keyword | +| fortinet.firewall.passedcount | Fabric passed count | integer | +| fortinet.firewall.passwd | Changed user password information | keyword | +| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | +| fortinet.firewall.peer | WAN optimization peer | keyword | +| fortinet.firewall.peer_notif | VPN peer notification | keyword | +| fortinet.firewall.phase2_name | VPN phase2 name | keyword | +| fortinet.firewall.phone | VOIP Phone | keyword | +| fortinet.firewall.pid | Process ID | integer | +| fortinet.firewall.policytype | Policy Type | keyword | +| fortinet.firewall.poolname | IP Pool name | keyword | +| fortinet.firewall.port | Log upload error port | integer | +| fortinet.firewall.portbegin | IP Pool port number to begin | integer | +| fortinet.firewall.portend | IP Pool port number to end | integer | +| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | +| fortinet.firewall.process | URL Filter process | keyword | +| fortinet.firewall.processtime | Process time for reports | integer | +| fortinet.firewall.profile | Profile Name | keyword | +| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | +| fortinet.firewall.profilegroup | Profile Group Name | keyword | +| fortinet.firewall.profiletype | Profile Type | keyword | +| fortinet.firewall.qtypeval | DNS question type value | integer | +| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | +| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | +| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | +| fortinet.firewall.quotatype | Quota type | keyword | +| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | +| fortinet.firewall.radioband | Radio band | keyword | +| fortinet.firewall.radioid | Radio ID | integer | +| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | +| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | +| fortinet.firewall.rate | Wireless rogue rate value | keyword | +| fortinet.firewall.rawdata | Raw data value | keyword | +| fortinet.firewall.rawdataid | Raw data ID | keyword | +| fortinet.firewall.rcvddelta | Received bytes delta | keyword | +| fortinet.firewall.reason | Alert reason | keyword | +| fortinet.firewall.received | Server key exchange received | integer | +| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | +| fortinet.firewall.red | Memory information in red | keyword | +| fortinet.firewall.referralurl | Web filter referralurl | keyword | +| fortinet.firewall.remote | Remote PPP IP address | ip | +| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | +| fortinet.firewall.reporttype | Report type | keyword | +| fortinet.firewall.reqtype | Request type | keyword | +| fortinet.firewall.request_name | VOIP request name | keyword | +| fortinet.firewall.result | VPN phase result | keyword | +| fortinet.firewall.role | VPN Phase 2 role | keyword | +| fortinet.firewall.rssi | Received signal strength indicator | integer | +| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | +| fortinet.firewall.ruledata | Rule data | keyword | +| fortinet.firewall.ruletype | Rule type | keyword | +| fortinet.firewall.scanned | Number of Scanned MMSs | integer | +| fortinet.firewall.scantime | Scanned time | long | +| fortinet.firewall.scope | FortiGuard Override Scope | keyword | +| fortinet.firewall.security | Wireless rogue security | keyword | +| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | +| fortinet.firewall.sensor | NAC Sensor Name | keyword | +| fortinet.firewall.sentdelta | Sent bytes delta | keyword | +| fortinet.firewall.seq | Sequence number | keyword | +| fortinet.firewall.serial | WAN optimisation serial | keyword | +| fortinet.firewall.serialno | Serial number | keyword | +| fortinet.firewall.server | AD server FQDN or IP | keyword | +| fortinet.firewall.session_id | Session ID | keyword | +| fortinet.firewall.sessionid | WAD Session ID | integer | +| fortinet.firewall.setuprate | Session Setup Rate | long | +| fortinet.firewall.severity | Severity | keyword | +| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | +| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | +| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | +| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | +| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | +| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | +| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | +| fortinet.firewall.signal | Wireless rogue API signal | integer | +| fortinet.firewall.size | Email size in bytes | long | +| fortinet.firewall.slot | Slot number | integer | +| fortinet.firewall.sn | Security fabric serial number | keyword | +| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | +| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | +| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | +| fortinet.firewall.spi | IPSEC SPI | keyword | +| fortinet.firewall.src_int | Source interface | keyword | +| fortinet.firewall.srccountry | Source country | keyword | +| fortinet.firewall.srcfamily | Source family | keyword | +| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | +| fortinet.firewall.srchwversion | Source hardware version | keyword | +| fortinet.firewall.srcinetsvc | Source interface service | keyword | +| fortinet.firewall.srcintfrole | Source interface role | keyword | +| fortinet.firewall.srcname | Source name | keyword | +| fortinet.firewall.srcserver | Source server | integer | +| fortinet.firewall.srcssid | Source SSID | keyword | +| fortinet.firewall.srcswversion | Source software version | keyword | +| fortinet.firewall.srcuuid | Source UUID | keyword | +| fortinet.firewall.sscname | SSC name | keyword | +| fortinet.firewall.ssid | Base Service Set ID | keyword | +| fortinet.firewall.sslaction | SSL Action | keyword | +| fortinet.firewall.ssllocal | WAD SSL local | keyword | +| fortinet.firewall.sslremote | WAD SSL remote | keyword | +| fortinet.firewall.stacount | Number of stations/clients | integer | +| fortinet.firewall.stage | IPSEC stage | keyword | +| fortinet.firewall.stamac | 802.1x station mac | keyword | +| fortinet.firewall.state | Admin login state | keyword | +| fortinet.firewall.status | Status | keyword | +| fortinet.firewall.stitch | Automation stitch triggered | keyword | +| fortinet.firewall.subject | Email subject | keyword | +| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | +| fortinet.firewall.subservice | AV subservice | keyword | +| fortinet.firewall.subtype | Log subtype | keyword | +| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | +| fortinet.firewall.switchproto | Protocol change information | keyword | +| fortinet.firewall.sync_status | The sync status with the master | keyword | +| fortinet.firewall.sync_type | The sync type with the master | keyword | +| fortinet.firewall.sysuptime | System uptime | keyword | +| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | +| fortinet.firewall.threattype | WIDS threat type | keyword | +| fortinet.firewall.time | Time of the event | keyword | +| fortinet.firewall.to | Email to field | keyword | +| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | +| fortinet.firewall.total | Total memory | integer | +| fortinet.firewall.totalsession | Total Number of Sessions | integer | +| fortinet.firewall.trace_id | Session clash trace ID | keyword | +| fortinet.firewall.trandisp | NAT translation type | keyword | +| fortinet.firewall.transid | HTTP transaction ID | integer | +| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | +| fortinet.firewall.trigger | Automation stitch trigger | keyword | +| fortinet.firewall.trueclntip | File filter true client IP | ip | +| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | +| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | +| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | +| fortinet.firewall.type | Module type | keyword | +| fortinet.firewall.ui | Admin authentication UI type | keyword | +| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | +| fortinet.firewall.unit | Power supply unit | integer | +| fortinet.firewall.urlfilteridx | URL filter ID | integer | +| fortinet.firewall.urlfilterlist | URL filter list | keyword | +| fortinet.firewall.urlsource | URL filter source | keyword | +| fortinet.firewall.urltype | URL filter type | keyword | +| fortinet.firewall.used | Number of Used IPs | integer | +| fortinet.firewall.used_for_type | Connection for the type | integer | +| fortinet.firewall.utmaction | Security action performed by UTM | keyword | +| fortinet.firewall.vap | Virtual AP | keyword | +| fortinet.firewall.vapmode | Virtual AP mode | keyword | +| fortinet.firewall.vcluster | virtual cluster id | integer | +| fortinet.firewall.vcluster_member | Virtual cluster member | integer | +| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | +| fortinet.firewall.vd | Virtual Domain Name | keyword | +| fortinet.firewall.vdname | Virtual Domain Name | keyword | +| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | +| fortinet.firewall.version | Version | keyword | +| fortinet.firewall.vip | Virtual IP | keyword | +| fortinet.firewall.virus | Virus name | keyword | +| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | +| fortinet.firewall.voip_proto | VOIP protocol | keyword | +| fortinet.firewall.vpn | VPN description | keyword | +| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | +| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | +| fortinet.firewall.vrf | VRF number | integer | +| fortinet.firewall.vulncat | Vulnerability Category | keyword | +| fortinet.firewall.vulnid | Vulnerability ID | integer | +| fortinet.firewall.vulnname | Vulnerability name | keyword | +| fortinet.firewall.vwlid | VWL ID | integer | +| fortinet.firewall.vwlquality | VWL quality | keyword | +| fortinet.firewall.vwlservice | VWL service | keyword | +| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | +| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | +| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | +| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | +| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | +| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | +| fortinet.firewall.xauthuser | XAuth User Name | keyword | +| fortinet.firewall.xid | Wireless X ID | integer | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.email | User email address. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | +| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword | diff --git a/packages/fortinet_fortigate/1.2.4/img/dashboard.png b/packages/fortinet_fortigate/1.2.4/img/dashboard.png new file mode 100755 index 0000000000..268a29bd0e Binary files /dev/null and b/packages/fortinet_fortigate/1.2.4/img/dashboard.png differ diff --git a/packages/fortinet_fortigate/1.2.4/img/fortinet-logo.svg b/packages/fortinet_fortigate/1.2.4/img/fortinet-logo.svg new file mode 100755 index 0000000000..d6a8448f32 --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/img/fortinet-logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/packages/fortinet_fortigate/1.2.4/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json b/packages/fortinet_fortigate/1.2.4/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json new file mode 100755 index 0000000000..7ea26c928a --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/kibana/dashboard/fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "NONE", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.category\",\"title\":\"Event Category\",\"id\":\"eb2ef977-0de8-4bd4-a936-8bd25a74543c\",\"enhancements\":{}}},\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.outcome\",\"title\":\"Event Outcome\",\"id\":\"cfa74479-5cd8-48b4-b302-86302d5cc8a6\",\"enhancements\":{}}},\"ee56c2d4-3f4e-4914-bc04-74a600f57188\":{\"order\":4,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"log.level\",\"title\":\"Fortinet Log Level\",\"id\":\"ee56c2d4-3f4e-4914-bc04-74a600f57188\",\"enhancements\":{},\"selectedOptions\":[]}},\"ad683801-15c1-4243-a870-c533cf32c7e3\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Event Action\",\"fieldName\":\"event.action\",\"selectedOptions\":[],\"id\":\"ad683801-15c1-4243-a870-c533cf32c7e3\",\"enhancements\":{}}},\"c66d9124-057b-40aa-bc0a-fab5624ed285\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"fortinet.firewall.type\",\"title\":\"Firewall Operation Type\",\"id\":\"c66d9124-057b-40aa-bc0a-fab5624ed285\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Overview of Fortinet FortiGate firewall events", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"fortinet_fortigate.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"fortinet_fortigate.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"syncTooltips\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"aef92dcc-7959-4c94-90ef-373478d28419\",\"title\":\"Event Category\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"53ff2f86-bf06-4677-92d2-067155f609f3\",\"title\":\"Event Outcome\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"b3871313-73e1-4197-af66-2ff82506fafd\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of log.level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"log.level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"941798ef-1ae4-4ebe-8867-a17eb8b1a4b9\",\"title\":\"Fortinet Log Level\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"w\":12,\"x\":0,\"y\":7},\"panelIndex\":\"f20139de-a0eb-463f-a9c8-183dce76b3fa\",\"title\":\"Network Direction\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"w\":12,\"x\":12,\"y\":7},\"panelIndex\":\"14f2d7bc-a79b-4917-a0a3-9656891cc0d8\",\"title\":\"Network Transport\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Syslog Severity\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"log.syslog.severity.code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"85b98bdc-73a7-4032-aef1-91921b5235ce\",\"title\":\"Syslog Severities\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\":{\"columnOrder\":[\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\",\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"columns\":{\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Event Duration\",\"operationType\":\"range\",\"params\":{\"includeEmptyRows\":true,\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"event.duration\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"098c8c66-e7b7-4877-8ede-e69c2ab79d08\"],\"layerId\":\"3315c7ab-9184-4bc2-8d29-bfa4f03c0357\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"e5f0842d-128d-4718-9d9d-3fd543f0d8e3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"w\":12,\"x\":24,\"y\":7},\"panelIndex\":\"3652abe3-b251-4cc0-a014-a81bbe764d33\",\"title\":\"Event Duration\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2573c22c-9787-4385-a01b-779b948ee617\":{\"columnOrder\":[\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\",\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"columns\":{\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d18fd8ee-eba8-421c-ae32-a71f7e414f3f\"],\"layerId\":\"2573c22c-9787-4385-a01b-779b948ee617\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"2ae7b9f4-59a0-4614-970e-b9e0aa0f8979\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"w\":48,\"x\":0,\"y\":14},\"panelIndex\":\"c284fd4a-cd25-4fe3-8124-f2458aed0257\",\"title\":\"Requests Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"64b9d1d0-7503-4967-849c-be0201d51ac1\":{\"columnOrder\":[\"e4b7b011-b2e7-41bf-895d-11b402493f26\",\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"columns\":{\"e4b7b011-b2e7-41bf-895d-11b402493f26\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Median of network.bytes\",\"operationType\":\"median\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"ed019e2d-fc96-4301-bf59-c2330c54b2f7\"],\"layerId\":\"64b9d1d0-7503-4967-849c-be0201d51ac1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"e4b7b011-b2e7-41bf-895d-11b402493f26\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"w\":48,\"x\":0,\"y\":26},\"panelIndex\":\"58884a18-ec0a-46f1-bf37-de86aba407ad\",\"title\":\"Network Bytes Over Time\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"locale\\\":\\\"autoselect\\\",\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"639d6137-90ec-4d57-8478-e509f53ce69d\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"sourceGeoField\\\":\\\"source.geo.location\\\",\\\"destGeoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"1eb41e3c-4868-4a02-a274-7e2d0c99395d\\\",\\\"type\\\":\\\"ES_PEW_PEW\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"style\\\":{\\\"type\\\":\\\"VECTOR\\\",\\\"properties\\\":{\\\"icon\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"marker\\\"}},\\\"fillColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"}},\\\"lineColor\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"color\\\":\\\"Blues\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"lineWidth\\\":{\\\"type\\\":\\\"DYNAMIC\\\",\\\"options\\\":{\\\"minSize\\\":1,\\\"maxSize\\\":10,\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":true,\\\"sigma\\\":3}}},\\\"iconSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":6}},\\\"iconOrientation\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"orientation\\\":0}},\\\"labelText\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"value\\\":\\\"\\\"}},\\\"labelColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"}},\\\"labelSize\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"size\\\":14}},\\\"labelBorderColor\\\":{\\\"type\\\":\\\"STATIC\\\",\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"}},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}}},\\\"isTimeAware\\\":true},\\\"id\\\":\\\"849d4635-b0b9-48e8-a55e-2af1ad03cdc6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"GEOJSON_VECTOR\\\",\\\"joins\\\":[]},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"2324e246-cacb-44b6-9b5d-adfe78680a50\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\",\\\"label\\\":\\\"\\\"}],\\\"indexPatternRefName\\\":\\\"layer_2_source_index_pattern\\\"},\\\"id\\\":\\\"8bcd1ead-bbd9-4e7f-8764-0042c69a815a\\\",\\\"label\\\":\\\"Destination Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Blues\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"id\\\":\\\"89afbedd-118f-4a04-9015-57165b9b84dd\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_3_source_index_pattern\\\"},\\\"id\\\":\\\"1c35d621-57d9-48b9-afa9-9755aae6c1ac\\\",\\\"label\\\":\\\"Source Location\\\",\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"Yellow to Red\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.64,\\\"center\\\":{\\\"lon\\\":90.00001,\\\"lat\\\":0},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":360,\"minLat\":-89.78601,\"minLon\":-180},\"mapCenter\":{\"lat\":0,\"lon\":90.00001,\"zoom\":0.38},\"openTOCDetails\":[]},\"gridData\":{\"h\":25,\"i\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"w\":24,\"x\":0,\"y\":38},\"panelIndex\":\"3559260b-1b7d-4053-b958-d6eb5f4e839e\",\"title\":\"Connections\",\"type\":\"map\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"w\":12,\"x\":24,\"y\":38},\"panelIndex\":\"9eb208d4-f6d7-468a-b558-a98ecc64e262\",\"title\":\"Source Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of source.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"w\":12,\"x\":36,\"y\":38},\"panelIndex\":\"bbd15cda-94cf-4624-acfe-f255efbb5855\",\"title\":\"Source Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.geo.country_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.country_name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"w\":12,\"x\":24,\"y\":51},\"panelIndex\":\"83c59f55-5df1-4715-8fb1-d088f0e10019\",\"title\":\"Destination Country\",\"type\":\"lens\",\"version\":\"8.3.2\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b509c65-21ea-4bc9-98ac-38f059b301f9\":{\"columnOrder\":[\"d5104737-a960-4de0-950e-d33e797f9346\",\"f14b52f5-b58b-4cac-8878-20f877e4724e\"],\"columns\":{\"d5104737-a960-4de0-950e-d33e797f9346\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 10 values of destination.as.organization.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[],\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"f14b52f5-b58b-4cac-8878-20f877e4724e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d5104737-a960-4de0-950e-d33e797f9346\"],\"layerId\":\"3b509c65-21ea-4bc9-98ac-38f059b301f9\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f14b52f5-b58b-4cac-8878-20f877e4724e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"w\":12,\"x\":36,\"y\":51},\"panelIndex\":\"1e4ffbda-33d2-40eb-9746-4469775466f7\",\"title\":\"Destination Organization\",\"type\":\"lens\",\"version\":\"8.3.2\"}]", + "timeRestore": false, + "title": "[Fortinet Fortigate] Firewall Overview", + "version": 1 + }, + "coreMigrationVersion": "8.3.2", + "id": "fortinet_fortigate-d0cd8230-0c8b-11ed-bb95-158df2ca77e4", + "migrationVersion": { + "dashboard": "8.3.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aef92dcc-7959-4c94-90ef-373478d28419:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "53ff2f86-bf06-4677-92d2-067155f609f3:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b3871313-73e1-4197-af66-2ff82506fafd:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "941798ef-1ae4-4ebe-8867-a17eb8b1a4b9:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f20139de-a0eb-463f-a9c8-183dce76b3fa:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14f2d7bc-a79b-4917-a0a3-9656891cc0d8:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "85b98bdc-73a7-4032-aef1-91921b5235ce:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3652abe3-b251-4cc0-a014-a81bbe764d33:indexpattern-datasource-layer-3315c7ab-9184-4bc2-8d29-bfa4f03c0357", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c284fd4a-cd25-4fe3-8124-f2458aed0257:indexpattern-datasource-layer-2573c22c-9787-4385-a01b-779b948ee617", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58884a18-ec0a-46f1-bf37-de86aba407ad:indexpattern-datasource-layer-64b9d1d0-7503-4967-849c-be0201d51ac1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_2_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3559260b-1b7d-4053-b958-d6eb5f4e839e:layer_3_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9eb208d4-f6d7-468a-b558-a98ecc64e262:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bbd15cda-94cf-4624-acfe-f255efbb5855:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "83c59f55-5df1-4715-8fb1-d088f0e10019:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1e4ffbda-33d2-40eb-9746-4469775466f7:indexpattern-datasource-layer-3b509c65-21ea-4bc9-98ac-38f059b301f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_eb2ef977-0de8-4bd4-a936-8bd25a74543c:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_cfa74479-5cd8-48b4-b302-86302d5cc8a6:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ee56c2d4-3f4e-4914-bc04-74a600f57188:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ad683801-15c1-4243-a870-c533cf32c7e3:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_c66d9124-057b-40aa-bc0a-fab5624ed285:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/fortinet_fortigate/1.2.4/manifest.yml b/packages/fortinet_fortigate/1.2.4/manifest.yml new file mode 100755 index 0000000000..821e69fafe --- /dev/null +++ b/packages/fortinet_fortigate/1.2.4/manifest.yml @@ -0,0 +1,37 @@ +name: fortinet_fortigate +title: Fortinet FortiGate Firewall Logs +version: 1.2.4 +release: ga +description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security"] +conditions: + kibana.version: "^8.3.0" +icons: + - src: /img/fortinet-logo.svg + title: Fortinet + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/dashboard.png + title: Fortinet FortiGate Overview + size: 3336x3120 + type: image/png +policy_templates: + - name: fortinet_fortigate + title: Fortinet FortiGate logs + description: Collect logs from Fortinet FortiGate instances + inputs: + - type: logfile + title: "Collect Fortinet FortiGate logs (input: logfile)" + description: "Collecting logs from Fortinet FortiGate instances (input: logfile)" + - type: tcp + title: "Collect Fortinet FortiGate logs (input: tcp)" + description: "Collecting logs from Fortinet FortiGate instances (input: tcp)" + - type: udp + title: "Collect Fortinet FortiGate logs (input: udp)" + description: "Collecting logs from Fortinet FortiGate instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/fortinet_fortimanager/1.1.3/LICENSE.txt b/packages/fortinet_fortimanager/1.1.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/fortinet_fortimanager/1.1.3/changelog.yml b/packages/fortinet_fortimanager/1.1.3/changelog.yml new file mode 100755 index 0000000000..c903c78233 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/changelog.yml @@ -0,0 +1,26 @@ +# newer versions go on top +- version: "1.1.3" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4407 +- version: "1.1.2" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "1.1.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.1.0" + changes: + - description: Update Ingest Pipeline with observer Fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3819 +- version: "1.0.0" + changes: + - description: Initial version of Fortinet FortiManager as separate package + type: enhancement + link: https://github.com/elastic/integrations/pull/3267 diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/log.yml.hbs b/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/log.yml.hbs new file mode 100755 index 0000000000..a9ee14498d --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,3094 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, + ])); + + var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + ]); + + var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg1 = msg("fortinetmgr:01", part1); + + var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg2 = msg("fortinetmgr", part2); + + var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + + var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + + var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + + var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + + var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + + var select3 = linear_select([ + part7, + part8, + ]); + + var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + + var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + + var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + + var select4 = linear_select([ + part10, + part11, + ]); + + var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg3 = msg("fortinetmgr:04", all1); + + var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg4 = msg("fortinetmgr:02", part12); + + var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, + ])); + + var msg5 = msg("fortinetmgr:03", part13); + + var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + + var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + + var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + + var select5 = linear_select([ + part15, + part16, + ]); + + var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + + var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg6 = msg("fortinetmgr:05", all2); + + var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", + }, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, + ])); + + var msg7 = msg("event_fortinetmgr_tvm", part18); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + ]); + + var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, + ])); + + var msg8 = msg("generic_fortinetmgr", part19); + + var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, + ])); + + var msg9 = msg("generic_fortinetmgr_1", part20); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/tcp.yml.hbs b/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100755 index 0000000000..7d3dfcbe1b --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,3091 @@ +tcp: +host: "{{tcp_host}}:{{tcp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, + ])); + + var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + ]); + + var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg1 = msg("fortinetmgr:01", part1); + + var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg2 = msg("fortinetmgr", part2); + + var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + + var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + + var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + + var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + + var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + + var select3 = linear_select([ + part7, + part8, + ]); + + var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + + var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + + var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + + var select4 = linear_select([ + part10, + part11, + ]); + + var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg3 = msg("fortinetmgr:04", all1); + + var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg4 = msg("fortinetmgr:02", part12); + + var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, + ])); + + var msg5 = msg("fortinetmgr:03", part13); + + var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + + var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + + var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + + var select5 = linear_select([ + part15, + part16, + ]); + + var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + + var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg6 = msg("fortinetmgr:05", all2); + + var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", + }, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, + ])); + + var msg7 = msg("event_fortinetmgr_tvm", part18); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + ]); + + var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, + ])); + + var msg8 = msg("generic_fortinetmgr", part19); + + var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, + ])); + + var msg9 = msg("generic_fortinetmgr_1", part20); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/udp.yml.hbs new file mode 100755 index 0000000000..89adc08993 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,3091 @@ +udp: +host: "{{udp_host}}:{{udp_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +{{#if processors}} +{{processors}} +{{/if}} +- script: + lang: javascript + params: + ecs: true + rsa: {{rsa_fields}} + tz_offset: {{tz_offset}} + keep_raw: {{keep_raw_fields}} + debug: {{debug}} + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, + ])); + + var hdr3 = match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, + ])); + + var hdr4 = match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, + ])); + + var hdr5 = match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + ]); + + var part1 = match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg1 = msg("fortinetmgr:01", part1); + + var part2 = match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg2 = msg("fortinetmgr", part2); + + var part3 = match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + + var part4 = match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + + var part5 = match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + + var select2 = linear_select([ + part4, + part5, + ]); + + var part6 = match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + + var part7 = match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + + var part8 = match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + + var select3 = linear_select([ + part7, + part8, + ]); + + var part9 = match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + + var part10 = match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + + var part11 = match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + + var select4 = linear_select([ + part10, + part11, + ]); + + var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg3 = msg("fortinetmgr:04", all1); + + var part12 = match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ])); + + var msg4 = msg("fortinetmgr:02", part12); + + var part13 = match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, + ])); + + var msg5 = msg("fortinetmgr:03", part13); + + var part14 = match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + + var part15 = match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + + var part16 = match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + + var select5 = linear_select([ + part15, + part16, + ]); + + var part17 = match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + + var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), + }); + + var msg6 = msg("fortinetmgr:05", all2); + + var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", + }, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, + ])); + + var msg7 = msg("event_fortinetmgr_tvm", part18); + + var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + ]); + + var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, + ])); + + var msg8 = msg("generic_fortinetmgr", part19); + + var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", + }, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, + ])); + + var msg9 = msg("generic_fortinetmgr_1", part20); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), + ]); + +- community_id: +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain +- add_locale: ~ diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortimanager/1.1.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..a24b95d589 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,117 @@ +--- +description: Pipeline for Fortinet Manager/Analyzer +processors: + - set: + field: ecs.version + value: '8.3.0' + - set: + field: observer.vendor + value: Fortinet + - set: + field: observer.product + value: FortiManager + - set: + field: observer.type + value: configuration + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # URL + - uri_parts: + field: url.original + target_field: _temp_.url + ignore_failure: true + if: ctx?.url?.original != null + - script: + lang: painless + description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings + if: ctx?._temp_?.url != null + source: | + for (entry in ctx._temp_.url.entrySet()) { + if (entry != null && entry.getValue() != null) { + if(ctx.url[entry.getKey()] == null) { + ctx.url[entry.getKey()] = entry.getValue(); + } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) { + ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]]; + ctx.url[entry.getKey()].add(entry.getValue()); + } + } + } + - remove: + field: _temp_ + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +# Ensure source.mac and destination.mac are formatted to ECS specifications. + - gsub: + field: destination.mac + ignore_missing: true + pattern: '[:.]' + replacement: '-' + - gsub: + field: source.mac + ignore_missing: true + pattern: '[:.]' + replacement: '-' + - uppercase: + field: destination.mac + ignore_missing: true + - uppercase: + field: source.mac + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/agent.yml b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e0f9e38998 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/agent.yml @@ -0,0 +1,170 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/base-fields.yml b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..dbb394f267 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/base-fields.yml @@ -0,0 +1,38 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: fortinet +- name: event.dataset + type: constant_keyword + description: Event dataset + value: fortinet_fortimanager.log +- name: container.id + description: Unique container id. + ignore_above: 1024 + type: keyword +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: log.file.path + description: Full path to the log file this event came from. + example: /var/log/fun-times.log + ignore_above: 1024 + type: keyword +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: log.flags + description: Flags for the log file. + type: keyword +- name: log.offset + description: Offset of the entry in the log file. + type: long diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/ecs.yml b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..cb322fbe1d --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/ecs.yml @@ -0,0 +1,573 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: client.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: destination.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + Array of file attributes. + Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + name: file.attributes + normalize: + - array + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + Direction of the network traffic. + Recommended values are: + * ingress + * egress + * inbound + * outbound + * internal + * external + * unknown + + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: Interface name as reported by the system. + name: observer.egress.interface.name + type: keyword +- description: Interface name as reported by the system. + name: observer.ingress.interface.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.parent.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.parent.title + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: server.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: source.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/fields.yml b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..ea69cd79e3 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/fields/fields.yml @@ -0,0 +1,1754 @@ +- name: rsa + type: group + fields: + - name: internal + type: group + fields: + - name: msg + type: keyword + description: This key is used to capture the raw message that comes into the Log Decoder + - name: messageid + type: keyword + - name: event_desc + type: keyword + - name: message + type: keyword + description: This key captures the contents of instant messages + - name: time + type: date + description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + - name: level + type: long + description: Deprecated key defined only in table map. + - name: msg_id + type: keyword + description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: msg_vid + type: keyword + description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: data + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + type: keyword + description: Deprecated key defined only in table map. + - name: resource + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + type: keyword + description: Deprecated key defined only in table map. + - name: statement + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + type: keyword + description: Deprecated key defined only in table map. + - name: entry + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + type: keyword + description: Deprecated key defined only in table map. + - name: inode + type: long + description: Deprecated key defined only in table map. + - name: resource_class + type: keyword + description: Deprecated key defined only in table map. + - name: dead + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + type: keyword + description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: feed_name + type: keyword + description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: cid + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_class + type: keyword + description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_group + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + type: keyword + description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + type: keyword + description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type_id + type: long + description: Deprecated key defined only in table map. + - name: did + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: entropy_req + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: entropy_res + type: long + description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + - name: event_name + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + type: keyword + description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: forward_ip + type: ip + description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + type: ip + description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: header_id + type: keyword + description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_cid + type: keyword + description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: lc_ctime + type: date + description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + type: long + description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + type: long + description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: mcbc_res + type: long + description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + - name: medium + type: long + description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + type: keyword + description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: payload_req + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: payload_res + type: long + description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + - name: process_vid_dst + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + - name: process_vid_src + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + - name: rid + type: long + description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: session_split + type: keyword + description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + type: keyword + description: Deprecated key defined only in table map. + - name: size + type: long + description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: sourcefile + type: keyword + description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: ubc_res + type: long + description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + - name: word + type: keyword + description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + - name: time + type: group + fields: + - name: event_time + type: date + description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + - name: duration_time + type: double + description: This key is used to capture the normalized duration/lifetime in seconds. + - name: event_time_str + type: keyword + description: This key is used to capture the incomplete time mentioned in a session as a string + - name: starttime + type: date + description: This key is used to capture the Start time mentioned in a session in a standard form + - name: month + type: keyword + - name: day + type: keyword + - name: endtime + type: date + description: This key is used to capture the End time mentioned in a session in a standard form + - name: timezone + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + type: keyword + description: A text string version of the duration + - name: date + type: keyword + - name: year + type: keyword + - name: recorded_time + type: date + description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + - name: datetime + type: keyword + - name: effective_time + type: date + description: This key is the effective time referenced by an individual event in a Standard Timestamp format + - name: expire_time + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + type: keyword + description: Deprecated, use duration.time + - name: hour + type: keyword + - name: min + type: keyword + - name: timestamp + type: keyword + - name: event_queue_time + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + type: keyword + - name: tzone + type: keyword + - name: eventtime + type: keyword + - name: gmtdate + type: keyword + - name: gmttime + type: keyword + - name: p_date + type: keyword + - name: p_month + type: keyword + - name: p_time + type: keyword + - name: p_time2 + type: keyword + - name: p_year + type: keyword + - name: expire_time_str + type: keyword + description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + - name: stamp + type: date + description: Deprecated key defined only in table map. + - name: misc + type: group + fields: + - name: action + type: keyword + - name: result + type: keyword + description: This key is used to capture the outcome/result string value of an action in a session. + - name: severity + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + type: keyword + description: This key captures the event category type as specified by the event source. + - name: reference_id + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + type: keyword + description: This key captures Version of the application or OS which is generating the event. + - name: disposition + type: keyword + description: This key captures the The end state of an action. + - name: result_code + type: keyword + description: This key is used to capture the outcome/result numeric value of an action in a session + - name: category + type: keyword + description: This key is used to capture the category of an event given by the vendor in the session + - name: obj_name + type: keyword + description: This is used to capture name of object + - name: obj_type + type: keyword + description: This is used to capture type of object + - name: event_source + type: keyword + description: "This key captures Source of the event that’s not a hostname" + - name: log_session_id + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + type: keyword + description: This key captures the Group Name value + - name: policy_name + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + type: keyword + description: This key captures the Rule Name + - name: context + type: keyword + description: This key captures Information which adds additional context to the event. + - name: change_new + type: keyword + description: "This key is used to capture the new values of the attribute that’s changing in a session" + - name: space + type: keyword + - name: client + type: keyword + description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + type: keyword + - name: msgIdPart2 + type: keyword + - name: change_old + type: keyword + description: "This key is used to capture the old value of the attribute that’s changing in a session" + - name: operation_id + type: keyword + description: An alert number or operation number. The values should be unique and non-repeating. + - name: event_state + type: keyword + description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + - name: group_object + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + type: keyword + description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + - name: rule + type: keyword + description: This key captures the Rule number + - name: device_name + type: keyword + description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + - name: param + type: keyword + description: This key is the parameters passed as part of a command or application, etc. + - name: change_attrib + type: keyword + description: "This key is used to capture the name of the attribute that’s changing in a session" + - name: event_computer + type: keyword + description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + - name: reference_id1 + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + type: keyword + description: This key captures the Name of the event log + - name: OS + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + type: keyword + - name: filter + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + type: keyword + description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + - name: event_user + type: keyword + description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + - name: virusname + type: keyword + description: This key captures the name of the virus + - name: content_type + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + type: keyword + description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + - name: vsys + type: keyword + description: This key captures Virtual System Name + - name: connection_id + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + - name: sensor + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + - name: sig_id + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + type: keyword + description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + - name: rule_group + type: keyword + description: This key captures the Rule group name + - name: risk_num + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + type: keyword + description: This key is used to capture a Linked (Related) Session ID from the session directly + - name: comp_version + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + type: keyword + description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + - name: risk + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + type: keyword + - name: reason + type: keyword + - name: status + type: keyword + - name: mail_id + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + type: keyword + - name: p_msgid + type: keyword + - name: data_type + type: keyword + - name: msgIdPart4 + type: keyword + - name: error + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + type: keyword + - name: listnum + type: keyword + description: This key is used to capture listname or listnumber, primarily for collecting access-list + - name: ntype + type: keyword + - name: observed_val + type: keyword + description: This key captures the Value observed (from the perspective of the device generating the log). + - name: policy_value + type: keyword + description: This key captures the contents of the policy. This contains details about the policy + - name: pool_name + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + type: keyword + description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + - name: count + type: keyword + - name: number + type: keyword + - name: sigcat + type: keyword + - name: type + type: keyword + - name: comments + type: keyword + description: Comment information provided in the log message + - name: doc_number + type: long + description: This key captures File Identification number + - name: expected_val + type: keyword + description: This key captures the Value expected (from the perspective of the device generating the log). + - name: job_num + type: keyword + description: This key captures the Job Number + - name: spi_dst + type: keyword + description: Destination SPI Index + - name: spi_src + type: keyword + description: Source SPI Index + - name: code + type: keyword + - name: agent_id + type: keyword + description: This key is used to capture agent id + - name: message_body + type: keyword + description: This key captures the The contents of the message body. + - name: phone + type: keyword + - name: sig_id_str + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + type: keyword + - name: misc + type: keyword + - name: name + type: keyword + - name: cpu + type: long + description: This key is the CPU time used in the execution of the event being recorded. + - name: event_desc + type: keyword + description: This key is used to capture a description of an event available directly or inferred + - name: sig_id1 + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + - name: im_buddyid + type: keyword + - name: im_client + type: keyword + - name: im_userid + type: keyword + - name: pid + type: keyword + - name: priority + type: keyword + - name: context_subject + type: keyword + description: This key is to be used in an audit context where the subject is the object being identified + - name: context_target + type: keyword + - name: cve + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + - name: fcatnum + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + type: keyword + description: This key captures the Parent Node Name. Must be related to node variable. + - name: risk_info + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + type: long + description: This key describes the type of service + - name: vm_target + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + type: keyword + description: This key captures Workspace Description + - name: command + type: keyword + - name: event_category + type: keyword + - name: facilityname + type: keyword + - name: forensic_info + type: keyword + - name: jobname + type: keyword + - name: mode + type: keyword + - name: policy + type: keyword + - name: policy_waiver + type: keyword + - name: second + type: keyword + - name: space1 + type: keyword + - name: subcategory + type: keyword + - name: tbdstr2 + type: keyword + - name: alert_id + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + type: keyword + description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + - name: checksum_src + type: keyword + description: This key is used to capture the checksum or hash of the source entity such as a file or process. + - name: fresult + type: long + description: This key captures the Filter Result + - name: payload_dst + type: keyword + description: This key is used to capture destination payload + - name: payload_src + type: keyword + description: This key is used to capture source payload + - name: pool_id + type: keyword + description: This key captures the identifier (typically numeric field) of a resource pool + - name: process_id_val + type: keyword + description: This key is a failure key for Process ID when it is not an integer value + - name: risk_num_comm + type: double + description: This key captures Risk Number Community + - name: risk_num_next + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + type: keyword + description: SNMP Object Identifier + - name: sql + type: keyword + description: This key captures the SQL query + - name: vuln_ref + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + type: keyword + - name: acl_op + type: keyword + - name: acl_pos + type: keyword + - name: acl_table + type: keyword + - name: admin + type: keyword + - name: alarm_id + type: keyword + - name: alarmname + type: keyword + - name: app_id + type: keyword + - name: audit + type: keyword + - name: audit_object + type: keyword + - name: auditdata + type: keyword + - name: benchmark + type: keyword + - name: bypass + type: keyword + - name: cache + type: keyword + - name: cache_hit + type: keyword + - name: cefversion + type: keyword + - name: cfg_attr + type: keyword + - name: cfg_obj + type: keyword + - name: cfg_path + type: keyword + - name: changes + type: keyword + - name: client_ip + type: keyword + - name: clustermembers + type: keyword + - name: cn_acttimeout + type: keyword + - name: cn_asn_src + type: keyword + - name: cn_bgpv4nxthop + type: keyword + - name: cn_ctr_dst_code + type: keyword + - name: cn_dst_tos + type: keyword + - name: cn_dst_vlan + type: keyword + - name: cn_engine_id + type: keyword + - name: cn_engine_type + type: keyword + - name: cn_f_switch + type: keyword + - name: cn_flowsampid + type: keyword + - name: cn_flowsampintv + type: keyword + - name: cn_flowsampmode + type: keyword + - name: cn_inacttimeout + type: keyword + - name: cn_inpermbyts + type: keyword + - name: cn_inpermpckts + type: keyword + - name: cn_invalid + type: keyword + - name: cn_ip_proto_ver + type: keyword + - name: cn_ipv4_ident + type: keyword + - name: cn_l_switch + type: keyword + - name: cn_log_did + type: keyword + - name: cn_log_rid + type: keyword + - name: cn_max_ttl + type: keyword + - name: cn_maxpcktlen + type: keyword + - name: cn_min_ttl + type: keyword + - name: cn_minpcktlen + type: keyword + - name: cn_mpls_lbl_1 + type: keyword + - name: cn_mpls_lbl_10 + type: keyword + - name: cn_mpls_lbl_2 + type: keyword + - name: cn_mpls_lbl_3 + type: keyword + - name: cn_mpls_lbl_4 + type: keyword + - name: cn_mpls_lbl_5 + type: keyword + - name: cn_mpls_lbl_6 + type: keyword + - name: cn_mpls_lbl_7 + type: keyword + - name: cn_mpls_lbl_8 + type: keyword + - name: cn_mpls_lbl_9 + type: keyword + - name: cn_mplstoplabel + type: keyword + - name: cn_mplstoplabip + type: keyword + - name: cn_mul_dst_byt + type: keyword + - name: cn_mul_dst_pks + type: keyword + - name: cn_muligmptype + type: keyword + - name: cn_sampalgo + type: keyword + - name: cn_sampint + type: keyword + - name: cn_seqctr + type: keyword + - name: cn_spackets + type: keyword + - name: cn_src_tos + type: keyword + - name: cn_src_vlan + type: keyword + - name: cn_sysuptime + type: keyword + - name: cn_template_id + type: keyword + - name: cn_totbytsexp + type: keyword + - name: cn_totflowexp + type: keyword + - name: cn_totpcktsexp + type: keyword + - name: cn_unixnanosecs + type: keyword + - name: cn_v6flowlabel + type: keyword + - name: cn_v6optheaders + type: keyword + - name: comp_class + type: keyword + - name: comp_name + type: keyword + - name: comp_rbytes + type: keyword + - name: comp_sbytes + type: keyword + - name: cpu_data + type: keyword + - name: criticality + type: keyword + - name: cs_agency_dst + type: keyword + - name: cs_analyzedby + type: keyword + - name: cs_av_other + type: keyword + - name: cs_av_primary + type: keyword + - name: cs_av_secondary + type: keyword + - name: cs_bgpv6nxthop + type: keyword + - name: cs_bit9status + type: keyword + - name: cs_context + type: keyword + - name: cs_control + type: keyword + - name: cs_data + type: keyword + - name: cs_datecret + type: keyword + - name: cs_dst_tld + type: keyword + - name: cs_eth_dst_ven + type: keyword + - name: cs_eth_src_ven + type: keyword + - name: cs_event_uuid + type: keyword + - name: cs_filetype + type: keyword + - name: cs_fld + type: keyword + - name: cs_if_desc + type: keyword + - name: cs_if_name + type: keyword + - name: cs_ip_next_hop + type: keyword + - name: cs_ipv4dstpre + type: keyword + - name: cs_ipv4srcpre + type: keyword + - name: cs_lifetime + type: keyword + - name: cs_log_medium + type: keyword + - name: cs_loginname + type: keyword + - name: cs_modulescore + type: keyword + - name: cs_modulesign + type: keyword + - name: cs_opswatresult + type: keyword + - name: cs_payload + type: keyword + - name: cs_registrant + type: keyword + - name: cs_registrar + type: keyword + - name: cs_represult + type: keyword + - name: cs_rpayload + type: keyword + - name: cs_sampler_name + type: keyword + - name: cs_sourcemodule + type: keyword + - name: cs_streams + type: keyword + - name: cs_targetmodule + type: keyword + - name: cs_v6nxthop + type: keyword + - name: cs_whois_server + type: keyword + - name: cs_yararesult + type: keyword + - name: description + type: keyword + - name: devvendor + type: keyword + - name: distance + type: keyword + - name: dstburb + type: keyword + - name: edomain + type: keyword + - name: edomaub + type: keyword + - name: euid + type: keyword + - name: facility + type: keyword + - name: finterface + type: keyword + - name: flags + type: keyword + - name: gaddr + type: keyword + - name: id3 + type: keyword + - name: im_buddyname + type: keyword + - name: im_croomid + type: keyword + - name: im_croomtype + type: keyword + - name: im_members + type: keyword + - name: im_username + type: keyword + - name: ipkt + type: keyword + - name: ipscat + type: keyword + - name: ipspri + type: keyword + - name: latitude + type: keyword + - name: linenum + type: keyword + - name: list_name + type: keyword + - name: load_data + type: keyword + - name: location_floor + type: keyword + - name: location_mark + type: keyword + - name: log_id + type: keyword + - name: log_type + type: keyword + - name: logid + type: keyword + - name: logip + type: keyword + - name: logname + type: keyword + - name: longitude + type: keyword + - name: lport + type: keyword + - name: mbug_data + type: keyword + - name: misc_name + type: keyword + - name: msg_type + type: keyword + - name: msgid + type: keyword + - name: netsessid + type: keyword + - name: num + type: keyword + - name: number1 + type: keyword + - name: number2 + type: keyword + - name: nwwn + type: keyword + - name: object + type: keyword + - name: operation + type: keyword + - name: opkt + type: keyword + - name: orig_from + type: keyword + - name: owner_id + type: keyword + - name: p_action + type: keyword + - name: p_filter + type: keyword + - name: p_group_object + type: keyword + - name: p_id + type: keyword + - name: p_msgid1 + type: keyword + - name: p_msgid2 + type: keyword + - name: p_result1 + type: keyword + - name: password_chg + type: keyword + - name: password_expire + type: keyword + - name: permgranted + type: keyword + - name: permwanted + type: keyword + - name: pgid + type: keyword + - name: policyUUID + type: keyword + - name: prog_asp_num + type: keyword + - name: program + type: keyword + - name: real_data + type: keyword + - name: rec_asp_device + type: keyword + - name: rec_asp_num + type: keyword + - name: rec_library + type: keyword + - name: recordnum + type: keyword + - name: ruid + type: keyword + - name: sburb + type: keyword + - name: sdomain_fld + type: keyword + - name: sec + type: keyword + - name: sensorname + type: keyword + - name: seqnum + type: keyword + - name: session + type: keyword + - name: sessiontype + type: keyword + - name: sigUUID + type: keyword + - name: spi + type: keyword + - name: srcburb + type: keyword + - name: srcdom + type: keyword + - name: srcservice + type: keyword + - name: state + type: keyword + - name: status1 + type: keyword + - name: svcno + type: keyword + - name: system + type: keyword + - name: tbdstr1 + type: keyword + - name: tgtdom + type: keyword + - name: tgtdomain + type: keyword + - name: threshold + type: keyword + - name: type1 + type: keyword + - name: udb_class + type: keyword + - name: url_fld + type: keyword + - name: user_div + type: keyword + - name: userid + type: keyword + - name: username_fld + type: keyword + - name: utcstamp + type: keyword + - name: v_instafname + type: keyword + - name: virt_data + type: keyword + - name: vpnid + type: keyword + - name: autorun_type + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + type: long + description: Valid Credit Card Numbers only + - name: content + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + type: long + description: Employee Identification Numbers only + - name: found + type: keyword + description: This is used to capture the results of regex match + - name: language + type: keyword + description: This is used to capture list of languages the client support and what it prefers + - name: lifetime + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + type: keyword + description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: match + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + type: keyword + description: This key captures the command line/launch argument of the target process or file + - name: param_src + type: keyword + description: This key captures source parameter + - name: search_text + type: keyword + description: This key captures the Search Text used + - name: sig_name + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + type: keyword + description: SNMP set request value + - name: streams + type: long + description: This key captures number of streams in session + - name: db + type: group + fields: + - name: index + type: keyword + description: This key captures IndexID of the index. + - name: instance + type: keyword + description: This key is used to capture the database server instance name + - name: database + type: keyword + description: This key is used to capture the name of a database or an instance as seen in a session + - name: transact_id + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + type: keyword + description: This key is used to capture the table name + - name: db_id + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + type: long + description: This key captures the process id of a connection with database server + - name: lread + type: long + description: This key is used for the number of logical reads + - name: lwrite + type: long + description: This key is used for the number of logical writes + - name: pread + type: long + description: This key is used for the number of physical writes + - name: network + type: group + fields: + - name: alias_host + type: keyword + description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + - name: domain + type: keyword + - name: host_dst + type: keyword + description: "This key should only be used when it’s a Destination Hostname" + - name: network_service + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + type: keyword + description: This key should be used when the source or destination context of an interface is not clear + - name: network_port + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + type: keyword + description: "This key should only be used when it’s a Source Interface" + - name: dinterface + type: keyword + description: "This key should only be used when it’s a Destination Interface" + - name: vlan + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + type: keyword + description: "This key should only be used when it’s a Source Zone." + - name: zone + type: keyword + description: This key should be used when the source or destination context of a Zone is not clear + - name: zone_dst + type: keyword + description: "This key should only be used when it’s a Destination Zone." + - name: gateway + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + type: long + description: This key is used to capture the ICMP type only + - name: mask + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + type: keyword + description: This key is used for Destionation Device network mask + - name: port + type: long + description: This key should only be used to capture a Network Port when the directionality is not clear + - name: smask + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + type: keyword + description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + - name: paddr + type: ip + description: Deprecated + - name: faddr + type: keyword + - name: lhost + type: keyword + - name: origin + type: keyword + - name: remote_domain_id + type: keyword + - name: addr + type: keyword + - name: dns_a_record + type: keyword + - name: dns_ptr_record + type: keyword + - name: fhost + type: keyword + - name: fport + type: keyword + - name: laddr + type: keyword + - name: linterface + type: keyword + - name: phost + type: keyword + - name: ad_computer_dst + type: keyword + description: Deprecated, use host.dst + - name: eth_type + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + - name: ip_proto + type: long + description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + - name: dns_cname_record + type: keyword + - name: dns_id + type: keyword + - name: dns_opcode + type: keyword + - name: dns_resp + type: keyword + - name: dns_type + type: keyword + - name: domain1 + type: keyword + - name: host_type + type: keyword + - name: packet_length + type: keyword + - name: host_orig + type: keyword + description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + - name: rpayload + type: keyword + description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + - name: vlan_name + type: keyword + description: This key should only be used to capture the name of the Virtual LAN + - name: investigations + type: group + fields: + - name: ec_activity + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + type: long + description: This key captures the Event category number + - name: event_cat_name + type: keyword + description: This key captures the event category name corresponding to the event cat code + - name: event_vcat + type: keyword + description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + type: keyword + description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + - name: analysis_service + type: keyword + description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + - name: analysis_session + type: keyword + description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + - name: boc + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + type: keyword + description: This used to capture investigation category + - name: inv_context + type: keyword + description: This used to capture investigation context + - name: ioc + type: keyword + description: This is key capture indicator of compromise + - name: counters + type: group + fields: + - name: dclass_c1 + type: long + description: This is a generic counter key that should be used with the label dclass.c1.str only + - name: dclass_c2 + type: long + description: This is a generic counter key that should be used with the label dclass.c2.str only + - name: event_counter + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r1.str only + - name: dclass_c3 + type: long + description: This is a generic counter key that should be used with the label dclass.c3.str only + - name: dclass_c1_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c1 only + - name: dclass_c2_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c2 only + - name: dclass_r1_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r1 only + - name: dclass_r2 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r2.str only + - name: dclass_c3_str + type: keyword + description: This is a generic counter string key that should be used with the label dclass.c3 only + - name: dclass_r3 + type: keyword + description: This is a generic ratio key that should be used with the label dclass.r3.str only + - name: dclass_r2_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r2 only + - name: dclass_r3_str + type: keyword + description: This is a generic ratio string key that should be used with the label dclass.r3 only + - name: identity + type: group + fields: + - name: auth_method + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + type: keyword + description: This key is used to capture the user profile + - name: accesses + type: keyword + description: This key is used to capture actual privileges used in accessing an object + - name: realm + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + - name: org + type: keyword + description: This key captures the User organization + - name: dn_dst + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + - name: firstname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: lastname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: user_dept + type: keyword + description: User's Department Names only + - name: user_sid_src + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + type: keyword + description: This key is the Federated Service Provider. This is the application requesting authentication. + - name: federated_idp + type: keyword + description: This key is the federated Identity Provider. This is the server providing the authentication. + - name: logon_type_desc + type: keyword + description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + - name: middlename + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: password + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + - name: ldap_query + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + type: keyword + description: This is used to capture username the process or service is running as, the author of the task + - name: service_account + type: keyword + description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + - name: email + type: group + fields: + - name: email_dst + type: keyword + description: This key is used to capture the Destination email address only, when the destination context is not clear use email + - name: email_src + type: keyword + description: This key is used to capture the source email address only, when the source context is not clear use email + - name: subject + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + type: keyword + description: This key is used to capture a generic email address where the source or destination context is not clear + - name: trans_from + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + type: keyword + description: Deprecated key defined only in table map. + - name: file + type: group + fields: + - name: privilege + type: keyword + description: Deprecated, use permissions + - name: attachment + type: keyword + description: This key captures the attachment file name + - name: filesystem + type: keyword + - name: binary + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + type: keyword + description: This is used to capture name of the parent filename, the file which performed the action + - name: filename_tmp + type: keyword + - name: directory_dst + type: keyword + description: This key is used to capture the directory of the target process or file + - name: directory_src + type: keyword + description: This key is used to capture the directory of the source process or file + - name: file_entropy + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + type: keyword + description: This is used to capture name of the task + - name: web + type: group + fields: + - name: fqdn + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + type: keyword + - name: reputation_num + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + type: keyword + description: Web referer's domain + - name: web_ref_query + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + type: keyword + - name: web_ref_page + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + type: keyword + - name: cn_rpackets + type: keyword + - name: urlpage + type: keyword + - name: urlroot + type: keyword + - name: p_url + type: keyword + - name: p_user_agent + type: keyword + - name: p_web_cookie + type: keyword + - name: p_web_method + type: keyword + - name: p_web_referer + type: keyword + - name: web_extension_tmp + type: keyword + - name: web_page + type: keyword + - name: threat + type: group + fields: + - name: threat_category + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of alert + - name: threat_desc + type: keyword + description: This key is used to capture the threat description from the session directly or inferred + - name: alert + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + type: keyword + description: This key is used to capture source of the threat + - name: crypto + type: group + fields: + - name: crypto + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key only + - name: cipher_src + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + type: keyword + description: IKE negotiation phase. + - name: scheme + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + type: keyword + description: "This key is for Encryption peer’s identity" + - name: sig_type + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + type: keyword + - name: cert_host_name + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + type: keyword + description: Deprecated, use version + - name: d_certauth + type: keyword + - name: s_certauth + type: keyword + - name: ike_cookie1 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase One" + - name: ike_cookie2 + type: keyword + description: "ID of the negotiation — sent for ISAKMP Phase Two" + - name: cert_checksum + type: keyword + - name: cert_host_cat + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + type: keyword + description: Deprecated, use version + - name: cert_keysize + type: keyword + - name: cert_username + type: keyword + - name: https_insact + type: keyword + - name: https_valid + type: keyword + - name: cert_ca + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + type: group + fields: + - name: wlan_ssid + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + type: long + description: This is used to capture the channel names + - name: wlan_name + type: keyword + description: This key captures either WLAN number/name + - name: storage + type: group + fields: + - name: disk_volume + type: keyword + description: A unique name assigned to logical units (volumes) within a physical disk + - name: lun + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + type: group + fields: + - name: org_dst + type: keyword + description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + - name: org_src + type: keyword + description: This is used to capture the source organization based on the GEOPIP Maxmind database. + - name: healthcare + type: group + fields: + - name: patient_fname + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_id + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + - name: patient_mname + type: keyword + description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + - name: endpoint + type: group + fields: + - name: host_state + type: keyword + description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + - name: registry_key + type: keyword + description: This key captures the path to the registry key + - name: registry_value + type: keyword + description: This key captures values or decorators used within a registry entry +- name: dns.question.domain + type: keyword + ignore_above: 1024 + description: Server domain. +- name: network.interface.name + type: keyword diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/manifest.yml b/packages/fortinet_fortimanager/1.1.3/data_stream/log/manifest.yml new file mode 100755 index 0000000000..c6aacc111a --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/manifest.yml @@ -0,0 +1,210 @@ +title: Fortinet Manager/Analyzer logs +release: experimental +type: logs +streams: + - input: udp + title: Fortinet Manager/Analyzer logs + description: Collect Fortinet Manager/Analyzer logs + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimanager + - forwarded + - name: udp_host + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: udp_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9530 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: tcp + title: Fortinet Manager/Analyzer logs + description: Collect Fortinet Manager/Analyzer logs + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimanager + - forwarded + - name: tcp_host + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: tcp_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9530 + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: logfile + enabled: false + title: Fortinet Manager/Analyzer logs + description: Collect Fortinet Manager/Analyzer logs from file + template_path: log.yml.hbs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/fortinet-fortimanager.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - fortinet-fortimanager + - forwarded + - name: tz_offset + type: text + title: Timezone offset (+HH:mm format) + required: false + show_user: true + default: "local" + - name: rsa_fields + type: bool + title: Add non-ECS fields + required: false + show_user: true + default: true + - name: keep_raw_fields + type: bool + title: Keep raw parser fields + required: false + show_user: false + default: false + - name: debug + type: bool + title: Enable debug logging + required: false + show_user: false + default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/fortinet_fortimanager/1.1.3/data_stream/log/sample_event.json b/packages/fortinet_fortimanager/1.1.3/data_stream/log/sample_event.json new file mode 100755 index 0000000000..0959ccecbb --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/data_stream/log/sample_event.json @@ -0,0 +1,131 @@ +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet_fortimanager.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 449, + "geo": { + "country_name": "sequa" + }, + "ip": [ + "10.44.173.44" + ], + "nat": { + "ip": "10.189.58.145", + "port": 5273 + }, + "port": 6125 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "allow", + "agent_id_status": "verified", + "code": "sse", + "dataset": "fortinet_fortimanager.log", + "ingested": "2022-01-25T12:33:50Z", + "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "very-high", + "source": { + "address": "172.30.0.4:60997" + } + }, + "network": { + "bytes": 8329 + }, + "observer": { + "egress": { + "interface": { + "name": "enp0s3068" + } + }, + "ingress": { + "interface": { + "name": "eth5722" + } + }, + "product": "FortiManager", + "type": "Configuration", + "vendor": "Fortinet" + }, + "related": { + "hosts": [ + "modtempo" + ], + "ip": [ + "10.189.58.145", + "10.20.234.169", + "10.44.173.44" + ] + }, + "rsa": { + "internal": { + "messageid": "generic_fortinetmgr_1" + }, + "misc": { + "action": [ + "allow" + ], + "category": "der", + "context": "abo", + "event_source": "modtempo", + "event_type": "exercita", + "hardware_id": "olab", + "log_session_id": "psa", + "policy_id": "ntium", + "reference_id": "sse", + "severity": "very-high", + "vsys": "nto" + }, + "network": { + "dinterface": "enp0s3068", + "network_service": "lupt", + "sinterface": "eth5722" + }, + "time": { + "duration_time": 14.119, + "event_time": "2016-01-29T06:09:59.000Z", + "event_time_str": "odoco" + }, + "web": { + "reputation_num": 13.8 + } + }, + "source": { + "bytes": 7880, + "geo": { + "country_name": "dolore" + }, + "ip": [ + "10.20.234.169" + ], + "port": 1001 + }, + "tags": [ + "preserve_original_event", + "fortinet-fortimanager", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/fortinet_fortimanager/1.1.3/docs/README.md b/packages/fortinet_fortimanager/1.1.3/docs/README.md new file mode 100755 index 0000000000..11dc58117b --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/docs/README.md @@ -0,0 +1,990 @@ +# Fortinet FortiManager Integration + +This integration is for Fortinet FortiManager logs sent in the syslog format. + +## Compatibility + +This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. + +### Log + +The `log` dataset collects JFortinet FortiManager logs. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2016-01-29T06:09:59.000Z", + "agent": { + "ephemeral_id": "607e3bda-a938-4637-8dd4-02613e9144ac", + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "data_stream": { + "dataset": "fortinet_fortimanager.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 449, + "geo": { + "country_name": "sequa" + }, + "ip": [ + "10.44.173.44" + ], + "nat": { + "ip": "10.189.58.145", + "port": 5273 + }, + "port": 6125 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4e3f135a-d5f9-40b6-ae01-2c834ecbead0", + "snapshot": true, + "version": "8.0.0" + }, + "event": { + "action": "allow", + "agent_id_status": "verified", + "code": "sse", + "dataset": "fortinet_fortimanager.log", + "ingested": "2022-01-25T12:33:50Z", + "original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n", + "timezone": "+00:00" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "very-high", + "source": { + "address": "172.30.0.4:60997" + } + }, + "network": { + "bytes": 8329 + }, + "observer": { + "egress": { + "interface": { + "name": "enp0s3068" + } + }, + "ingress": { + "interface": { + "name": "eth5722" + } + }, + "product": "FortiManager", + "type": "Configuration", + "vendor": "Fortinet" + }, + "related": { + "hosts": [ + "modtempo" + ], + "ip": [ + "10.189.58.145", + "10.20.234.169", + "10.44.173.44" + ] + }, + "rsa": { + "internal": { + "messageid": "generic_fortinetmgr_1" + }, + "misc": { + "action": [ + "allow" + ], + "category": "der", + "context": "abo", + "event_source": "modtempo", + "event_type": "exercita", + "hardware_id": "olab", + "log_session_id": "psa", + "policy_id": "ntium", + "reference_id": "sse", + "severity": "very-high", + "vsys": "nto" + }, + "network": { + "dinterface": "enp0s3068", + "network_service": "lupt", + "sinterface": "eth5722" + }, + "time": { + "duration_time": 14.119, + "event_time": "2016-01-29T06:09:59.000Z", + "event_time_str": "odoco" + }, + "web": { + "reputation_num": 13.8 + } + }, + "source": { + "bytes": 7880, + "geo": { + "country_name": "dolore" + }, + "ip": [ + "10.20.234.169" + ], + "port": 1001 + }, + "tags": [ + "preserve_original_event", + "fortinet-fortimanager", + "forwarded" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.domain | Server domain. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.type | File type (file, dir, or symlink). | keyword | +| geo.city_name | City name. | keyword | +| geo.country_name | Country name. | keyword | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_name | Region name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.interface.name | | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.pid | Process id. | long | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rsa.counters.dclass_c1 | This is a generic counter key that should be used with the label dclass.c1.str only | long | +| rsa.counters.dclass_c1_str | This is a generic counter string key that should be used with the label dclass.c1 only | keyword | +| rsa.counters.dclass_c2 | This is a generic counter key that should be used with the label dclass.c2.str only | long | +| rsa.counters.dclass_c2_str | This is a generic counter string key that should be used with the label dclass.c2 only | keyword | +| rsa.counters.dclass_c3 | This is a generic counter key that should be used with the label dclass.c3.str only | long | +| rsa.counters.dclass_c3_str | This is a generic counter string key that should be used with the label dclass.c3 only | keyword | +| rsa.counters.dclass_r1 | This is a generic ratio key that should be used with the label dclass.r1.str only | keyword | +| rsa.counters.dclass_r1_str | This is a generic ratio string key that should be used with the label dclass.r1 only | keyword | +| rsa.counters.dclass_r2 | This is a generic ratio key that should be used with the label dclass.r2.str only | keyword | +| rsa.counters.dclass_r2_str | This is a generic ratio string key that should be used with the label dclass.r2 only | keyword | +| rsa.counters.dclass_r3 | This is a generic ratio key that should be used with the label dclass.r3.str only | keyword | +| rsa.counters.dclass_r3_str | This is a generic ratio string key that should be used with the label dclass.r3 only | keyword | +| rsa.counters.event_counter | This is used to capture the number of times an event repeated | long | +| rsa.crypto.cert_ca | This key is used to capture the Certificate signing authority only | keyword | +| rsa.crypto.cert_checksum | | keyword | +| rsa.crypto.cert_common | This key is used to capture the Certificate common name only | keyword | +| rsa.crypto.cert_error | This key captures the Certificate Error String | keyword | +| rsa.crypto.cert_host_cat | This key is used for the hostname category value of a certificate | keyword | +| rsa.crypto.cert_host_name | Deprecated key defined only in table map. | keyword | +| rsa.crypto.cert_issuer | | keyword | +| rsa.crypto.cert_keysize | | keyword | +| rsa.crypto.cert_serial | This key is used to capture the Certificate serial number only | keyword | +| rsa.crypto.cert_status | This key captures Certificate validation status | keyword | +| rsa.crypto.cert_subject | This key is used to capture the Certificate organization only | keyword | +| rsa.crypto.cert_username | | keyword | +| rsa.crypto.cipher_dst | This key is for Destination (Server) Cipher | keyword | +| rsa.crypto.cipher_size_dst | This key captures Destination (Server) Cipher Size | long | +| rsa.crypto.cipher_size_src | This key captures Source (Client) Cipher Size | long | +| rsa.crypto.cipher_src | This key is for Source (Client) Cipher | keyword | +| rsa.crypto.crypto | This key is used to capture the Encryption Type or Encryption Key only | keyword | +| rsa.crypto.d_certauth | | keyword | +| rsa.crypto.https_insact | | keyword | +| rsa.crypto.https_valid | | keyword | +| rsa.crypto.ike | IKE negotiation phase. | keyword | +| rsa.crypto.ike_cookie1 | ID of the negotiation — sent for ISAKMP Phase One | keyword | +| rsa.crypto.ike_cookie2 | ID of the negotiation — sent for ISAKMP Phase Two | keyword | +| rsa.crypto.peer | This key is for Encryption peer's IP Address | keyword | +| rsa.crypto.peer_id | This key is for Encryption peer’s identity | keyword | +| rsa.crypto.s_certauth | | keyword | +| rsa.crypto.scheme | This key captures the Encryption scheme used | keyword | +| rsa.crypto.sig_type | This key captures the Signature Type | keyword | +| rsa.crypto.ssl_ver_dst | Deprecated, use version | keyword | +| rsa.crypto.ssl_ver_src | Deprecated, use version | keyword | +| rsa.db.database | This key is used to capture the name of a database or an instance as seen in a session | keyword | +| rsa.db.db_id | This key is used to capture the unique identifier for a database | keyword | +| rsa.db.db_pid | This key captures the process id of a connection with database server | long | +| rsa.db.index | This key captures IndexID of the index. | keyword | +| rsa.db.instance | This key is used to capture the database server instance name | keyword | +| rsa.db.lread | This key is used for the number of logical reads | long | +| rsa.db.lwrite | This key is used for the number of logical writes | long | +| rsa.db.permissions | This key captures permission or privilege level assigned to a resource. | keyword | +| rsa.db.pread | This key is used for the number of physical writes | long | +| rsa.db.table_name | This key is used to capture the table name | keyword | +| rsa.db.transact_id | This key captures the SQL transantion ID of the current session | keyword | +| rsa.email.email | This key is used to capture a generic email address where the source or destination context is not clear | keyword | +| rsa.email.email_dst | This key is used to capture the Destination email address only, when the destination context is not clear use email | keyword | +| rsa.email.email_src | This key is used to capture the source email address only, when the source context is not clear use email | keyword | +| rsa.email.subject | This key is used to capture the subject string from an Email only. | keyword | +| rsa.email.trans_from | Deprecated key defined only in table map. | keyword | +| rsa.email.trans_to | Deprecated key defined only in table map. | keyword | +| rsa.endpoint.host_state | This key is used to capture the current state of the machine, such as \blacklisted\, \infected\, \firewall disabled\ and so on | keyword | +| rsa.endpoint.registry_key | This key captures the path to the registry key | keyword | +| rsa.endpoint.registry_value | This key captures values or decorators used within a registry entry | keyword | +| rsa.file.attachment | This key captures the attachment file name | keyword | +| rsa.file.binary | Deprecated key defined only in table map. | keyword | +| rsa.file.directory_dst | \This key is used to capture the directory of the target process or file\ | keyword | +| rsa.file.directory_src | This key is used to capture the directory of the source process or file | keyword | +| rsa.file.file_entropy | This is used to capture entropy vale of a file | double | +| rsa.file.file_vendor | This is used to capture Company name of file located in version_info | keyword | +| rsa.file.filename_dst | This is used to capture name of the file targeted by the action | keyword | +| rsa.file.filename_src | This is used to capture name of the parent filename, the file which performed the action | keyword | +| rsa.file.filename_tmp | | keyword | +| rsa.file.filesystem | | keyword | +| rsa.file.privilege | Deprecated, use permissions | keyword | +| rsa.file.task_name | This is used to capture name of the task | keyword | +| rsa.healthcare.patient_fname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_id | This key captures the unique ID for a patient | keyword | +| rsa.healthcare.patient_lname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.healthcare.patient_mname | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.accesses | This key is used to capture actual privileges used in accessing an object | keyword | +| rsa.identity.auth_method | This key is used to capture authentication methods used only | keyword | +| rsa.identity.dn | X.500 (LDAP) Distinguished Name | keyword | +| rsa.identity.dn_dst | An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn | keyword | +| rsa.identity.dn_src | An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn | keyword | +| rsa.identity.federated_idp | This key is the federated Identity Provider. This is the server providing the authentication. | keyword | +| rsa.identity.federated_sp | This key is the Federated Service Provider. This is the application requesting authentication. | keyword | +| rsa.identity.firstname | This key is for First Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.host_role | This key should only be used to capture the role of a Host Machine | keyword | +| rsa.identity.lastname | This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.ldap | This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context | keyword | +| rsa.identity.ldap_query | This key is the Search criteria from an LDAP search | keyword | +| rsa.identity.ldap_response | This key is to capture Results from an LDAP search | keyword | +| rsa.identity.logon_type | This key is used to capture the type of logon method used. | keyword | +| rsa.identity.logon_type_desc | This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. | keyword | +| rsa.identity.middlename | This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information | keyword | +| rsa.identity.org | This key captures the User organization | keyword | +| rsa.identity.owner | This is used to capture username the process or service is running as, the author of the task | keyword | +| rsa.identity.password | This key is for Passwords seen in any session, plain text or encrypted | keyword | +| rsa.identity.profile | This key is used to capture the user profile | keyword | +| rsa.identity.realm | Radius realm or similar grouping of accounts | keyword | +| rsa.identity.service_account | This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage | keyword | +| rsa.identity.user_dept | User's Department Names only | keyword | +| rsa.identity.user_role | This key is used to capture the Role of a user only | keyword | +| rsa.identity.user_sid_dst | This key captures Destination User Session ID | keyword | +| rsa.identity.user_sid_src | This key captures Source User Session ID | keyword | +| rsa.internal.audit_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.cid | This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.data | Deprecated key defined only in table map. | keyword | +| rsa.internal.dead | Deprecated key defined only in table map. | long | +| rsa.internal.device_class | This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_group | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_host | This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_ip | This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_ipv6 | This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.device_type | This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.device_type_id | Deprecated key defined only in table map. | long | +| rsa.internal.did | This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.entropy_req | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entropy_res | This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration | long | +| rsa.internal.entry | Deprecated key defined only in table map. | keyword | +| rsa.internal.event_desc | | keyword | +| rsa.internal.event_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.feed_category | This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_desc | This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.feed_name | This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.forward_ip | This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. | ip | +| rsa.internal.forward_ipv6 | This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | ip | +| rsa.internal.hcode | Deprecated key defined only in table map. | keyword | +| rsa.internal.header_id | This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.inode | Deprecated key defined only in table map. | long | +| rsa.internal.lc_cid | This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.lc_ctime | This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | date | +| rsa.internal.level | Deprecated key defined only in table map. | long | +| rsa.internal.mcb_req | This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcb_res | This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most | long | +| rsa.internal.mcbc_req | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.mcbc_res | This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams | long | +| rsa.internal.medium | This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session | long | +| rsa.internal.message | This key captures the contents of instant messages | keyword | +| rsa.internal.messageid | | keyword | +| rsa.internal.msg | This key is used to capture the raw message that comes into the Log Decoder | keyword | +| rsa.internal.msg_id | This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.msg_vid | This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.node_name | Deprecated key defined only in table map. | keyword | +| rsa.internal.nwe_callback_id | This key denotes that event is endpoint related | keyword | +| rsa.internal.obj_id | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_server | Deprecated key defined only in table map. | keyword | +| rsa.internal.obj_val | Deprecated key defined only in table map. | keyword | +| rsa.internal.parse_error | This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.payload_req | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.payload_res | This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep | long | +| rsa.internal.process_vid_dst | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. | keyword | +| rsa.internal.process_vid_src | Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. | keyword | +| rsa.internal.resource | Deprecated key defined only in table map. | keyword | +| rsa.internal.resource_class | Deprecated key defined only in table map. | keyword | +| rsa.internal.rid | This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.session_split | This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.site | Deprecated key defined only in table map. | keyword | +| rsa.internal.size | This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | long | +| rsa.internal.sourcefile | This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.internal.statement | Deprecated key defined only in table map. | keyword | +| rsa.internal.time | This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. | date | +| rsa.internal.ubc_req | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.ubc_res | This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once | long | +| rsa.internal.word | This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log | keyword | +| rsa.investigations.analysis_file | This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file | keyword | +| rsa.investigations.analysis_service | This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service | keyword | +| rsa.investigations.analysis_session | This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session | keyword | +| rsa.investigations.boc | This is used to capture behaviour of compromise | keyword | +| rsa.investigations.ec_activity | This key captures the particular event activity(Ex:Logoff) | keyword | +| rsa.investigations.ec_outcome | This key captures the outcome of a particular Event(Ex:Success) | keyword | +| rsa.investigations.ec_subject | This key captures the Subject of a particular Event(Ex:User) | keyword | +| rsa.investigations.ec_theme | This key captures the Theme of a particular Event(Ex:Authentication) | keyword | +| rsa.investigations.eoc | This is used to capture Enablers of Compromise | keyword | +| rsa.investigations.event_cat | This key captures the Event category number | long | +| rsa.investigations.event_cat_name | This key captures the event category name corresponding to the event cat code | keyword | +| rsa.investigations.event_vcat | This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. | keyword | +| rsa.investigations.inv_category | This used to capture investigation category | keyword | +| rsa.investigations.inv_context | This used to capture investigation context | keyword | +| rsa.investigations.ioc | This is key capture indicator of compromise | keyword | +| rsa.misc.OS | This key captures the Name of the Operating System | keyword | +| rsa.misc.acl_id | | keyword | +| rsa.misc.acl_op | | keyword | +| rsa.misc.acl_pos | | keyword | +| rsa.misc.acl_table | | keyword | +| rsa.misc.action | | keyword | +| rsa.misc.admin | | keyword | +| rsa.misc.agent_id | This key is used to capture agent id | keyword | +| rsa.misc.alarm_id | | keyword | +| rsa.misc.alarmname | | keyword | +| rsa.misc.alert_id | Deprecated, New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.app_id | | keyword | +| rsa.misc.audit | | keyword | +| rsa.misc.audit_object | | keyword | +| rsa.misc.auditdata | | keyword | +| rsa.misc.autorun_type | This is used to capture Auto Run type | keyword | +| rsa.misc.benchmark | | keyword | +| rsa.misc.bypass | | keyword | +| rsa.misc.cache | | keyword | +| rsa.misc.cache_hit | | keyword | +| rsa.misc.category | This key is used to capture the category of an event given by the vendor in the session | keyword | +| rsa.misc.cc_number | Valid Credit Card Numbers only | long | +| rsa.misc.cefversion | | keyword | +| rsa.misc.cfg_attr | | keyword | +| rsa.misc.cfg_obj | | keyword | +| rsa.misc.cfg_path | | keyword | +| rsa.misc.change_attrib | This key is used to capture the name of the attribute that’s changing in a session | keyword | +| rsa.misc.change_new | This key is used to capture the new values of the attribute that’s changing in a session | keyword | +| rsa.misc.change_old | This key is used to capture the old value of the attribute that’s changing in a session | keyword | +| rsa.misc.changes | | keyword | +| rsa.misc.checksum | This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. | keyword | +| rsa.misc.checksum_dst | This key is used to capture the checksum or hash of the the target entity such as a process or file. | keyword | +| rsa.misc.checksum_src | This key is used to capture the checksum or hash of the source entity such as a file or process. | keyword | +| rsa.misc.client | This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. | keyword | +| rsa.misc.client_ip | | keyword | +| rsa.misc.clustermembers | | keyword | +| rsa.misc.cmd | | keyword | +| rsa.misc.cn_acttimeout | | keyword | +| rsa.misc.cn_asn_src | | keyword | +| rsa.misc.cn_bgpv4nxthop | | keyword | +| rsa.misc.cn_ctr_dst_code | | keyword | +| rsa.misc.cn_dst_tos | | keyword | +| rsa.misc.cn_dst_vlan | | keyword | +| rsa.misc.cn_engine_id | | keyword | +| rsa.misc.cn_engine_type | | keyword | +| rsa.misc.cn_f_switch | | keyword | +| rsa.misc.cn_flowsampid | | keyword | +| rsa.misc.cn_flowsampintv | | keyword | +| rsa.misc.cn_flowsampmode | | keyword | +| rsa.misc.cn_inacttimeout | | keyword | +| rsa.misc.cn_inpermbyts | | keyword | +| rsa.misc.cn_inpermpckts | | keyword | +| rsa.misc.cn_invalid | | keyword | +| rsa.misc.cn_ip_proto_ver | | keyword | +| rsa.misc.cn_ipv4_ident | | keyword | +| rsa.misc.cn_l_switch | | keyword | +| rsa.misc.cn_log_did | | keyword | +| rsa.misc.cn_log_rid | | keyword | +| rsa.misc.cn_max_ttl | | keyword | +| rsa.misc.cn_maxpcktlen | | keyword | +| rsa.misc.cn_min_ttl | | keyword | +| rsa.misc.cn_minpcktlen | | keyword | +| rsa.misc.cn_mpls_lbl_1 | | keyword | +| rsa.misc.cn_mpls_lbl_10 | | keyword | +| rsa.misc.cn_mpls_lbl_2 | | keyword | +| rsa.misc.cn_mpls_lbl_3 | | keyword | +| rsa.misc.cn_mpls_lbl_4 | | keyword | +| rsa.misc.cn_mpls_lbl_5 | | keyword | +| rsa.misc.cn_mpls_lbl_6 | | keyword | +| rsa.misc.cn_mpls_lbl_7 | | keyword | +| rsa.misc.cn_mpls_lbl_8 | | keyword | +| rsa.misc.cn_mpls_lbl_9 | | keyword | +| rsa.misc.cn_mplstoplabel | | keyword | +| rsa.misc.cn_mplstoplabip | | keyword | +| rsa.misc.cn_mul_dst_byt | | keyword | +| rsa.misc.cn_mul_dst_pks | | keyword | +| rsa.misc.cn_muligmptype | | keyword | +| rsa.misc.cn_sampalgo | | keyword | +| rsa.misc.cn_sampint | | keyword | +| rsa.misc.cn_seqctr | | keyword | +| rsa.misc.cn_spackets | | keyword | +| rsa.misc.cn_src_tos | | keyword | +| rsa.misc.cn_src_vlan | | keyword | +| rsa.misc.cn_sysuptime | | keyword | +| rsa.misc.cn_template_id | | keyword | +| rsa.misc.cn_totbytsexp | | keyword | +| rsa.misc.cn_totflowexp | | keyword | +| rsa.misc.cn_totpcktsexp | | keyword | +| rsa.misc.cn_unixnanosecs | | keyword | +| rsa.misc.cn_v6flowlabel | | keyword | +| rsa.misc.cn_v6optheaders | | keyword | +| rsa.misc.code | | keyword | +| rsa.misc.command | | keyword | +| rsa.misc.comments | Comment information provided in the log message | keyword | +| rsa.misc.comp_class | | keyword | +| rsa.misc.comp_name | | keyword | +| rsa.misc.comp_rbytes | | keyword | +| rsa.misc.comp_sbytes | | keyword | +| rsa.misc.comp_version | This key captures the Version level of a sub-component of a product. | keyword | +| rsa.misc.connection_id | This key captures the Connection ID | keyword | +| rsa.misc.content | This key captures the content type from protocol headers | keyword | +| rsa.misc.content_type | This key is used to capture Content Type only. | keyword | +| rsa.misc.content_version | This key captures Version level of a signature or database content. | keyword | +| rsa.misc.context | This key captures Information which adds additional context to the event. | keyword | +| rsa.misc.context_subject | This key is to be used in an audit context where the subject is the object being identified | keyword | +| rsa.misc.context_target | | keyword | +| rsa.misc.count | | keyword | +| rsa.misc.cpu | This key is the CPU time used in the execution of the event being recorded. | long | +| rsa.misc.cpu_data | | keyword | +| rsa.misc.criticality | | keyword | +| rsa.misc.cs_agency_dst | | keyword | +| rsa.misc.cs_analyzedby | | keyword | +| rsa.misc.cs_av_other | | keyword | +| rsa.misc.cs_av_primary | | keyword | +| rsa.misc.cs_av_secondary | | keyword | +| rsa.misc.cs_bgpv6nxthop | | keyword | +| rsa.misc.cs_bit9status | | keyword | +| rsa.misc.cs_context | | keyword | +| rsa.misc.cs_control | | keyword | +| rsa.misc.cs_data | | keyword | +| rsa.misc.cs_datecret | | keyword | +| rsa.misc.cs_dst_tld | | keyword | +| rsa.misc.cs_eth_dst_ven | | keyword | +| rsa.misc.cs_eth_src_ven | | keyword | +| rsa.misc.cs_event_uuid | | keyword | +| rsa.misc.cs_filetype | | keyword | +| rsa.misc.cs_fld | | keyword | +| rsa.misc.cs_if_desc | | keyword | +| rsa.misc.cs_if_name | | keyword | +| rsa.misc.cs_ip_next_hop | | keyword | +| rsa.misc.cs_ipv4dstpre | | keyword | +| rsa.misc.cs_ipv4srcpre | | keyword | +| rsa.misc.cs_lifetime | | keyword | +| rsa.misc.cs_log_medium | | keyword | +| rsa.misc.cs_loginname | | keyword | +| rsa.misc.cs_modulescore | | keyword | +| rsa.misc.cs_modulesign | | keyword | +| rsa.misc.cs_opswatresult | | keyword | +| rsa.misc.cs_payload | | keyword | +| rsa.misc.cs_registrant | | keyword | +| rsa.misc.cs_registrar | | keyword | +| rsa.misc.cs_represult | | keyword | +| rsa.misc.cs_rpayload | | keyword | +| rsa.misc.cs_sampler_name | | keyword | +| rsa.misc.cs_sourcemodule | | keyword | +| rsa.misc.cs_streams | | keyword | +| rsa.misc.cs_targetmodule | | keyword | +| rsa.misc.cs_v6nxthop | | keyword | +| rsa.misc.cs_whois_server | | keyword | +| rsa.misc.cs_yararesult | | keyword | +| rsa.misc.cve | This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. | keyword | +| rsa.misc.data_type | | keyword | +| rsa.misc.description | | keyword | +| rsa.misc.device_name | This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc | keyword | +| rsa.misc.devvendor | | keyword | +| rsa.misc.disposition | This key captures the The end state of an action. | keyword | +| rsa.misc.distance | | keyword | +| rsa.misc.doc_number | This key captures File Identification number | long | +| rsa.misc.dstburb | | keyword | +| rsa.misc.edomain | | keyword | +| rsa.misc.edomaub | | keyword | +| rsa.misc.ein_number | Employee Identification Numbers only | long | +| rsa.misc.error | This key captures All non successful Error codes or responses | keyword | +| rsa.misc.euid | | keyword | +| rsa.misc.event_category | | keyword | +| rsa.misc.event_computer | This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. | keyword | +| rsa.misc.event_desc | This key is used to capture a description of an event available directly or inferred | keyword | +| rsa.misc.event_id | | keyword | +| rsa.misc.event_log | This key captures the Name of the event log | keyword | +| rsa.misc.event_source | This key captures Source of the event that’s not a hostname | keyword | +| rsa.misc.event_state | This key captures the current state of the object/item referenced within the event. Describing an on-going event. | keyword | +| rsa.misc.event_type | This key captures the event category type as specified by the event source. | keyword | +| rsa.misc.event_user | This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. | keyword | +| rsa.misc.expected_val | This key captures the Value expected (from the perspective of the device generating the log). | keyword | +| rsa.misc.facility | | keyword | +| rsa.misc.facilityname | | keyword | +| rsa.misc.fcatnum | This key captures Filter Category Number. Legacy Usage | keyword | +| rsa.misc.filter | This key captures Filter used to reduce result set | keyword | +| rsa.misc.finterface | | keyword | +| rsa.misc.flags | | keyword | +| rsa.misc.forensic_info | | keyword | +| rsa.misc.found | This is used to capture the results of regex match | keyword | +| rsa.misc.fresult | This key captures the Filter Result | long | +| rsa.misc.gaddr | | keyword | +| rsa.misc.group | This key captures the Group Name value | keyword | +| rsa.misc.group_id | This key captures Group ID Number (related to the group name) | keyword | +| rsa.misc.group_object | This key captures a collection/grouping of entities. Specific usage | keyword | +| rsa.misc.hardware_id | This key is used to capture unique identifier for a device or system (NOT a Mac address) | keyword | +| rsa.misc.id3 | | keyword | +| rsa.misc.im_buddyid | | keyword | +| rsa.misc.im_buddyname | | keyword | +| rsa.misc.im_client | | keyword | +| rsa.misc.im_croomid | | keyword | +| rsa.misc.im_croomtype | | keyword | +| rsa.misc.im_members | | keyword | +| rsa.misc.im_userid | | keyword | +| rsa.misc.im_username | | keyword | +| rsa.misc.index | | keyword | +| rsa.misc.inout | | keyword | +| rsa.misc.ipkt | | keyword | +| rsa.misc.ipscat | | keyword | +| rsa.misc.ipspri | | keyword | +| rsa.misc.job_num | This key captures the Job Number | keyword | +| rsa.misc.jobname | | keyword | +| rsa.misc.language | This is used to capture list of languages the client support and what it prefers | keyword | +| rsa.misc.latitude | | keyword | +| rsa.misc.library | This key is used to capture library information in mainframe devices | keyword | +| rsa.misc.lifetime | This key is used to capture the session lifetime in seconds. | long | +| rsa.misc.linenum | | keyword | +| rsa.misc.link | This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness | keyword | +| rsa.misc.list_name | | keyword | +| rsa.misc.listnum | This key is used to capture listname or listnumber, primarily for collecting access-list | keyword | +| rsa.misc.load_data | | keyword | +| rsa.misc.location_floor | | keyword | +| rsa.misc.location_mark | | keyword | +| rsa.misc.log_id | | keyword | +| rsa.misc.log_session_id | This key is used to capture a sessionid from the session directly | keyword | +| rsa.misc.log_session_id1 | This key is used to capture a Linked (Related) Session ID from the session directly | keyword | +| rsa.misc.log_type | | keyword | +| rsa.misc.logid | | keyword | +| rsa.misc.logip | | keyword | +| rsa.misc.logname | | keyword | +| rsa.misc.longitude | | keyword | +| rsa.misc.lport | | keyword | +| rsa.misc.mail_id | This key is used to capture the mailbox id/name | keyword | +| rsa.misc.match | This key is for regex match name from search.ini | keyword | +| rsa.misc.mbug_data | | keyword | +| rsa.misc.message_body | This key captures the The contents of the message body. | keyword | +| rsa.misc.misc | | keyword | +| rsa.misc.misc_name | | keyword | +| rsa.misc.mode | | keyword | +| rsa.misc.msgIdPart1 | | keyword | +| rsa.misc.msgIdPart2 | | keyword | +| rsa.misc.msgIdPart3 | | keyword | +| rsa.misc.msgIdPart4 | | keyword | +| rsa.misc.msg_type | | keyword | +| rsa.misc.msgid | | keyword | +| rsa.misc.name | | keyword | +| rsa.misc.netsessid | | keyword | +| rsa.misc.node | Common use case is the node name within a cluster. The cluster name is reflected by the host name. | keyword | +| rsa.misc.ntype | | keyword | +| rsa.misc.num | | keyword | +| rsa.misc.number | | keyword | +| rsa.misc.number1 | | keyword | +| rsa.misc.number2 | | keyword | +| rsa.misc.nwwn | | keyword | +| rsa.misc.obj_name | This is used to capture name of object | keyword | +| rsa.misc.obj_type | This is used to capture type of object | keyword | +| rsa.misc.object | | keyword | +| rsa.misc.observed_val | This key captures the Value observed (from the perspective of the device generating the log). | keyword | +| rsa.misc.operation | | keyword | +| rsa.misc.operation_id | An alert number or operation number. The values should be unique and non-repeating. | keyword | +| rsa.misc.opkt | | keyword | +| rsa.misc.orig_from | | keyword | +| rsa.misc.owner_id | | keyword | +| rsa.misc.p_action | | keyword | +| rsa.misc.p_filter | | keyword | +| rsa.misc.p_group_object | | keyword | +| rsa.misc.p_id | | keyword | +| rsa.misc.p_msgid | | keyword | +| rsa.misc.p_msgid1 | | keyword | +| rsa.misc.p_msgid2 | | keyword | +| rsa.misc.p_result1 | | keyword | +| rsa.misc.param | This key is the parameters passed as part of a command or application, etc. | keyword | +| rsa.misc.param_dst | This key captures the command line/launch argument of the target process or file | keyword | +| rsa.misc.param_src | This key captures source parameter | keyword | +| rsa.misc.parent_node | This key captures the Parent Node Name. Must be related to node variable. | keyword | +| rsa.misc.password_chg | | keyword | +| rsa.misc.password_expire | | keyword | +| rsa.misc.payload_dst | This key is used to capture destination payload | keyword | +| rsa.misc.payload_src | This key is used to capture source payload | keyword | +| rsa.misc.permgranted | | keyword | +| rsa.misc.permwanted | | keyword | +| rsa.misc.pgid | | keyword | +| rsa.misc.phone | | keyword | +| rsa.misc.pid | | keyword | +| rsa.misc.policy | | keyword | +| rsa.misc.policyUUID | | keyword | +| rsa.misc.policy_id | This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise | keyword | +| rsa.misc.policy_name | This key is used to capture the Policy Name only. | keyword | +| rsa.misc.policy_value | This key captures the contents of the policy. This contains details about the policy | keyword | +| rsa.misc.policy_waiver | | keyword | +| rsa.misc.pool_id | This key captures the identifier (typically numeric field) of a resource pool | keyword | +| rsa.misc.pool_name | This key captures the name of a resource pool | keyword | +| rsa.misc.port_name | This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). | keyword | +| rsa.misc.priority | | keyword | +| rsa.misc.process_id_val | This key is a failure key for Process ID when it is not an integer value | keyword | +| rsa.misc.prog_asp_num | | keyword | +| rsa.misc.program | | keyword | +| rsa.misc.real_data | | keyword | +| rsa.misc.reason | | keyword | +| rsa.misc.rec_asp_device | | keyword | +| rsa.misc.rec_asp_num | | keyword | +| rsa.misc.rec_library | | keyword | +| rsa.misc.recordnum | | keyword | +| rsa.misc.reference_id | This key is used to capture an event id from the session directly | keyword | +| rsa.misc.reference_id1 | This key is for Linked ID to be used as an addition to "reference.id" | keyword | +| rsa.misc.reference_id2 | This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. | keyword | +| rsa.misc.result | This key is used to capture the outcome/result string value of an action in a session. | keyword | +| rsa.misc.result_code | This key is used to capture the outcome/result numeric value of an action in a session | keyword | +| rsa.misc.risk | This key captures the non-numeric risk value | keyword | +| rsa.misc.risk_info | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_num | This key captures a Numeric Risk value | double | +| rsa.misc.risk_num_comm | This key captures Risk Number Community | double | +| rsa.misc.risk_num_next | This key captures Risk Number NextGen | double | +| rsa.misc.risk_num_sand | This key captures Risk Number SandBox | double | +| rsa.misc.risk_num_static | This key captures Risk Number Static | double | +| rsa.misc.risk_suspicious | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.risk_warning | Deprecated, use New Hunting Model (inv.\*, ioc, boc, eoc, analysis.\*) | keyword | +| rsa.misc.ruid | | keyword | +| rsa.misc.rule | This key captures the Rule number | keyword | +| rsa.misc.rule_group | This key captures the Rule group name | keyword | +| rsa.misc.rule_name | This key captures the Rule Name | keyword | +| rsa.misc.rule_template | A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template | keyword | +| rsa.misc.rule_uid | This key is the Unique Identifier for a rule. | keyword | +| rsa.misc.sburb | | keyword | +| rsa.misc.sdomain_fld | | keyword | +| rsa.misc.search_text | This key captures the Search Text used | keyword | +| rsa.misc.sec | | keyword | +| rsa.misc.second | | keyword | +| rsa.misc.sensor | This key captures Name of the sensor. Typically used in IDS/IPS based devices | keyword | +| rsa.misc.sensorname | | keyword | +| rsa.misc.seqnum | | keyword | +| rsa.misc.serial_number | This key is the Serial number associated with a physical asset. | keyword | +| rsa.misc.session | | keyword | +| rsa.misc.sessiontype | | keyword | +| rsa.misc.severity | This key is used to capture the severity given the session | keyword | +| rsa.misc.sigUUID | | keyword | +| rsa.misc.sig_id | This key captures IDS/IPS Int Signature ID | long | +| rsa.misc.sig_id1 | This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id | long | +| rsa.misc.sig_id_str | This key captures a string object of the sigid variable. | keyword | +| rsa.misc.sig_name | This key is used to capture the Signature Name only. | keyword | +| rsa.misc.sigcat | | keyword | +| rsa.misc.snmp_oid | SNMP Object Identifier | keyword | +| rsa.misc.snmp_value | SNMP set request value | keyword | +| rsa.misc.space | | keyword | +| rsa.misc.space1 | | keyword | +| rsa.misc.spi | | keyword | +| rsa.misc.spi_dst | Destination SPI Index | keyword | +| rsa.misc.spi_src | Source SPI Index | keyword | +| rsa.misc.sql | This key captures the SQL query | keyword | +| rsa.misc.srcburb | | keyword | +| rsa.misc.srcdom | | keyword | +| rsa.misc.srcservice | | keyword | +| rsa.misc.state | | keyword | +| rsa.misc.status | | keyword | +| rsa.misc.status1 | | keyword | +| rsa.misc.streams | This key captures number of streams in session | long | +| rsa.misc.subcategory | | keyword | +| rsa.misc.svcno | | keyword | +| rsa.misc.system | | keyword | +| rsa.misc.tbdstr1 | | keyword | +| rsa.misc.tbdstr2 | | keyword | +| rsa.misc.tcp_flags | This key is captures the TCP flags set in any packet of session | long | +| rsa.misc.terminal | This key captures the Terminal Names only | keyword | +| rsa.misc.tgtdom | | keyword | +| rsa.misc.tgtdomain | | keyword | +| rsa.misc.threshold | | keyword | +| rsa.misc.tos | This key describes the type of service | long | +| rsa.misc.trigger_desc | This key captures the Description of the trigger or threshold condition. | keyword | +| rsa.misc.trigger_val | This key captures the Value of the trigger or threshold condition. | keyword | +| rsa.misc.type | | keyword | +| rsa.misc.type1 | | keyword | +| rsa.misc.udb_class | | keyword | +| rsa.misc.url_fld | | keyword | +| rsa.misc.user_div | | keyword | +| rsa.misc.userid | | keyword | +| rsa.misc.username_fld | | keyword | +| rsa.misc.utcstamp | | keyword | +| rsa.misc.v_instafname | | keyword | +| rsa.misc.version | This key captures Version of the application or OS which is generating the event. | keyword | +| rsa.misc.virt_data | | keyword | +| rsa.misc.virusname | This key captures the name of the virus | keyword | +| rsa.misc.vm_target | VMWare Target \*\*VMWARE\*\* only varaible. | keyword | +| rsa.misc.vpnid | | keyword | +| rsa.misc.vsys | This key captures Virtual System Name | keyword | +| rsa.misc.vuln_ref | This key captures the Vulnerability Reference details | keyword | +| rsa.misc.workspace | This key captures Workspace Description | keyword | +| rsa.network.ad_computer_dst | Deprecated, use host.dst | keyword | +| rsa.network.addr | | keyword | +| rsa.network.alias_host | This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. | keyword | +| rsa.network.dinterface | This key should only be used when it’s a Destination Interface | keyword | +| rsa.network.dmask | This key is used for Destionation Device network mask | keyword | +| rsa.network.dns_a_record | | keyword | +| rsa.network.dns_cname_record | | keyword | +| rsa.network.dns_id | | keyword | +| rsa.network.dns_opcode | | keyword | +| rsa.network.dns_ptr_record | | keyword | +| rsa.network.dns_resp | | keyword | +| rsa.network.dns_type | | keyword | +| rsa.network.domain | | keyword | +| rsa.network.domain1 | | keyword | +| rsa.network.eth_host | Deprecated, use alias.mac | keyword | +| rsa.network.eth_type | This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only | long | +| rsa.network.faddr | | keyword | +| rsa.network.fhost | | keyword | +| rsa.network.fport | | keyword | +| rsa.network.gateway | This key is used to capture the IP Address of the gateway | keyword | +| rsa.network.host_dst | This key should only be used when it’s a Destination Hostname | keyword | +| rsa.network.host_orig | This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. | keyword | +| rsa.network.host_type | | keyword | +| rsa.network.icmp_code | This key is used to capture the ICMP code only | long | +| rsa.network.icmp_type | This key is used to capture the ICMP type only | long | +| rsa.network.interface | This key should be used when the source or destination context of an interface is not clear | keyword | +| rsa.network.ip_proto | This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI | long | +| rsa.network.laddr | | keyword | +| rsa.network.lhost | | keyword | +| rsa.network.linterface | | keyword | +| rsa.network.mask | This key is used to capture the device network IPmask. | keyword | +| rsa.network.netname | This key is used to capture the network name associated with an IP range. This is configured by the end user. | keyword | +| rsa.network.network_port | Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) | long | +| rsa.network.network_service | This is used to capture layer 7 protocols/service names | keyword | +| rsa.network.origin | | keyword | +| rsa.network.packet_length | | keyword | +| rsa.network.paddr | Deprecated | ip | +| rsa.network.phost | | keyword | +| rsa.network.port | This key should only be used to capture a Network Port when the directionality is not clear | long | +| rsa.network.protocol_detail | This key should be used to capture additional protocol information | keyword | +| rsa.network.remote_domain_id | | keyword | +| rsa.network.rpayload | This key is used to capture the total number of payload bytes seen in the retransmitted packets. | keyword | +| rsa.network.sinterface | This key should only be used when it’s a Source Interface | keyword | +| rsa.network.smask | This key is used for capturing source Network Mask | keyword | +| rsa.network.vlan | This key should only be used to capture the ID of the Virtual LAN | long | +| rsa.network.vlan_name | This key should only be used to capture the name of the Virtual LAN | keyword | +| rsa.network.zone | This key should be used when the source or destination context of a Zone is not clear | keyword | +| rsa.network.zone_dst | This key should only be used when it’s a Destination Zone. | keyword | +| rsa.network.zone_src | This key should only be used when it’s a Source Zone. | keyword | +| rsa.physical.org_dst | This is used to capture the destination organization based on the GEOPIP Maxmind database. | keyword | +| rsa.physical.org_src | This is used to capture the source organization based on the GEOPIP Maxmind database. | keyword | +| rsa.storage.disk_volume | A unique name assigned to logical units (volumes) within a physical disk | keyword | +| rsa.storage.lun | Logical Unit Number.This key is a very useful concept in Storage. | keyword | +| rsa.storage.pwwn | This uniquely identifies a port on a HBA. | keyword | +| rsa.threat.alert | This key is used to capture name of the alert | keyword | +| rsa.threat.threat_category | This key captures Threat Name/Threat Category/Categorization of alert | keyword | +| rsa.threat.threat_desc | This key is used to capture the threat description from the session directly or inferred | keyword | +| rsa.threat.threat_source | This key is used to capture source of the threat | keyword | +| rsa.time.date | | keyword | +| rsa.time.datetime | | keyword | +| rsa.time.day | | keyword | +| rsa.time.duration_str | A text string version of the duration | keyword | +| rsa.time.duration_time | This key is used to capture the normalized duration/lifetime in seconds. | double | +| rsa.time.effective_time | This key is the effective time referenced by an individual event in a Standard Timestamp format | date | +| rsa.time.endtime | This key is used to capture the End time mentioned in a session in a standard form | date | +| rsa.time.event_queue_time | This key is the Time that the event was queued. | date | +| rsa.time.event_time | This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form | date | +| rsa.time.event_time_str | This key is used to capture the incomplete time mentioned in a session as a string | keyword | +| rsa.time.eventtime | | keyword | +| rsa.time.expire_time | This key is the timestamp that explicitly refers to an expiration. | date | +| rsa.time.expire_time_str | This key is used to capture incomplete timestamp that explicitly refers to an expiration. | keyword | +| rsa.time.gmtdate | | keyword | +| rsa.time.gmttime | | keyword | +| rsa.time.hour | | keyword | +| rsa.time.min | | keyword | +| rsa.time.month | | keyword | +| rsa.time.p_date | | keyword | +| rsa.time.p_month | | keyword | +| rsa.time.p_time | | keyword | +| rsa.time.p_time1 | | keyword | +| rsa.time.p_time2 | | keyword | +| rsa.time.p_year | | keyword | +| rsa.time.process_time | Deprecated, use duration.time | keyword | +| rsa.time.recorded_time | The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. | date | +| rsa.time.stamp | Deprecated key defined only in table map. | date | +| rsa.time.starttime | This key is used to capture the Start time mentioned in a session in a standard form | date | +| rsa.time.timestamp | | keyword | +| rsa.time.timezone | This key is used to capture the timezone of the Event Time | keyword | +| rsa.time.tzone | | keyword | +| rsa.time.year | | keyword | +| rsa.web.alias_host | | keyword | +| rsa.web.cn_asn_dst | | keyword | +| rsa.web.cn_rpackets | | keyword | +| rsa.web.fqdn | Fully Qualified Domain Names | keyword | +| rsa.web.p_url | | keyword | +| rsa.web.p_user_agent | | keyword | +| rsa.web.p_web_cookie | | keyword | +| rsa.web.p_web_method | | keyword | +| rsa.web.p_web_referer | | keyword | +| rsa.web.remote_domain | | keyword | +| rsa.web.reputation_num | Reputation Number of an entity. Typically used for Web Domains | double | +| rsa.web.urlpage | | keyword | +| rsa.web.urlroot | | keyword | +| rsa.web.web_cookie | This key is used to capture the Web cookies specifically. | keyword | +| rsa.web.web_extension_tmp | | keyword | +| rsa.web.web_page | | keyword | +| rsa.web.web_ref_domain | Web referer's domain | keyword | +| rsa.web.web_ref_page | This key captures Web referer's page information | keyword | +| rsa.web.web_ref_query | This key captures Web referer's query portion of the URL | keyword | +| rsa.web.web_ref_root | Web referer's root URL path | keyword | +| rsa.wireless.access_point | This key is used to capture the access point name. | keyword | +| rsa.wireless.wlan_channel | This is used to capture the channel names | long | +| rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | +| rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | diff --git a/packages/fortinet_fortimanager/1.1.3/img/fortinet-logo.svg b/packages/fortinet_fortimanager/1.1.3/img/fortinet-logo.svg new file mode 100755 index 0000000000..d6a8448f32 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/img/fortinet-logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/packages/fortinet_fortimanager/1.1.3/manifest.yml b/packages/fortinet_fortimanager/1.1.3/manifest.yml new file mode 100755 index 0000000000..9b55ff1b02 --- /dev/null +++ b/packages/fortinet_fortimanager/1.1.3/manifest.yml @@ -0,0 +1,32 @@ +name: fortinet_fortimanager +title: Fortinet FortiManager Logs +version: 1.1.3 +release: ga +description: Collect logs from Fortinet FortiManager instances with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: ["security"] +conditions: + kibana.version: "^7.14.1 || ^8.0.0" +icons: + - src: /img/fortinet-logo.svg + title: Fortinet + size: 216x216 + type: image/svg+xml +policy_templates: + - name: fortinet_fortimanager + title: Fortinet FortiManager logs + description: Collect logs from Fortinet FortiManager instances + inputs: + - type: logfile + title: "Collect Fortinet FortiManager logs (input: logfile)" + description: "Collecting logs from Fortinet FortiManager instances (input: logfile)" + - type: tcp + title: "Collect Fortinet FortiManager logs (input: tcp)" + description: "Collecting logs from Fortinet FortiManager instances (input: tcp)" + - type: udp + title: "Collect Fortinet FortiManager logs (input: udp)" + description: "Collecting logs from Fortinet FortiManager instances (input: udp)" +owner: + github: elastic/security-external-integrations diff --git a/packages/gcp/2.13.0/LICENSE.txt b/packages/gcp/2.13.0/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/gcp/2.13.0/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/gcp/2.13.0/changelog.yml b/packages/gcp/2.13.0/changelog.yml new file mode 100755 index 0000000000..faf03fd2c4 --- /dev/null +++ b/packages/gcp/2.13.0/changelog.yml @@ -0,0 +1,372 @@ +# newer versions go on top +- version: "2.13.0" + changes: + - description: Migrate dashboard by values + type: enhancement + link: https://github.com/elastic/integrations/pull/4214 +- version: "2.12.1" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4397 +- version: "2.12.0" + changes: + - description: Add GCP Redis + type: enhancement + link: https://github.com/elastic/integrations/pull/4325 +- version: "2.11.12" + changes: + - description: Add GKE ingest pipeline. + type: bugfix + link: https://github.com/elastic/integrations/pull/4357 +- version: "2.11.11" + changes: + - description: Fix type of dns.answers.ttl. + type: bugfix + link: https://github.com/elastic/integrations/pull/4371 +- version: "2.11.10" + changes: + - description: Add ingest pipeline for dataproc. + type: enhancement + link: https://github.com/elastic/integrations/pull/4344 + - description: Add GCP loadbalancing ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4350 + - description: Add GCP PubSub ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4349 + - description: Add GCP Storage ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4348 + - description: Add GCP Firestore ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4347 + - description: Add GCP Compute ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4343 +- version: "2.11.10-beta.6" + changes: + - description: Add ingest pipeline for dataproc. + type: enhancement + link: https://github.com/elastic/integrations/pull/4344 +- version: "2.11.10-beta.5" + changes: + - description: Add GCP loadbalancing ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4350 +- version: "2.11.10-beta.4" + changes: + - description: Add GCP PubSub ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4349 +- version: "2.11.10-beta.3" + changes: + - description: Add GCP Storage ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4348 +- version: "2.11.10-beta.2" + changes: + - description: Add GCP Firestore ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4347 +- version: "2.11.10-beta.1" + changes: + - description: Add GCP Compute ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/4343 +- version: "2.11.9" + changes: + - description: Fix GKE kubernetes.io indentation. + type: bugfix + link: https://github.com/elastic/integrations/pull/4355 +- version: "2.11.8" + changes: + - description: Remove duplicate fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/4339 +- version: "2.11.7" + changes: + - description: Move Dataproc lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/4270 +- version: "2.11.6" + changes: + - description: Move LoadBalancing lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/4269 +- version: "2.11.5" + changes: + - description: Move Storage lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/4268 +- version: "2.11.4" + changes: + - description: Move PubSub lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/4267 +- version: "2.11.3" + changes: + - description: Move GKE lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/3797 +- version: "2.11.2" + changes: + - description: Move Firestore lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/3798 +- version: "2.11.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.11.0" + changes: + - description: Move Compute lightweight module config into integration + type: enhancement + link: https://github.com/elastic/integrations/pull/3797 +- version: "2.10.0" + changes: + - description: Add GCP PubSub Data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/3788 +- version: "2.9.0" + changes: + - description: Add GCP Dataproc Data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/3789 +- version: "2.8.0" + changes: + - description: Add GCP GKE Data Stream + type: enhancement + link: https://github.com/elastic/integrations/pull/4098 +- version: "2.7.0" + changes: + - description: Add GCP Storage Data Stream + type: enhancement + link: https://github.com/elastic/integrations/pull/3785 +- version: "2.6.0" + changes: + - description: Add Load Balancing logs datastream + type: enhancement + link: https://github.com/elastic/integrations/pull/3493 +- version: "2.5.0" + changes: + - description: Add GCP Load Balancing Metricset + type: enhancement + link: https://github.com/elastic/integrations/pull/2308 + - description: Fix credentials_json escaping in loadbalancing_metrics + type: bugfix + link: https://github.com/elastic/integrations/pull/3986 + - description: Update loadbalancing_metrics default period to 60s + type: bugfix + link: https://github.com/elastic/integrations/pull/3986 + - description: Fix event.dataset for loadbalancing_metrics + type: bugfix + link: https://github.com/elastic/integrations/pull/3986 + - description: Add loadbalancing_metrics distribution fields + type: enhancement + link: https://github.com/elastic/integrations/pull/4004 +- version: "2.4.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3865 +- version: "2.3.0" + changes: + - description: Add additional parsing for DNS Public Zone Query Logs + type: enhancement + link: https://github.com/elastic/integrations/pull/2340 +- version: "2.2.1" + changes: + - description: Fix Billing policy template title and default period for gcp.compute + type: enhancement + link: https://github.com/elastic/integrations/pull/3821 +- version: "2.2.0" + changes: + - description: Remove fields duplicated in ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3609 +- version: "2.1.0" + changes: + - description: restore compatibility with 7.17 release track + type: enhancement + link: foobar +- version: "2.0.0" + changes: + - description: | + Move configurations to support metrics. This change is breaking, as it moves + some configuration from the top level variables to data stream variables. + + This change involves `project_id`, `credentials_file` and `credentials_json` + variables that are moved from input level configuration to package level + configuration (as those variables are reused across all inputs/data streams). + + Users with GCP integration enabled will need to input values for these + variables again when upgrading the policies to this version. + type: breaking-change + link: https://github.com/elastic/integrations/pull/2707 + - description: Add GCP Billing Data Stream + type: enhancement + link: https://github.com/elastic/integrations/pull/2141 + - description: Add GCP Compute Data Stream + type: enhancement + link: https://github.com/elastic/integrations/pull/2301 + - description: Add GCP Firestore Data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/2704 +- version: "1.10.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.9.2" + changes: + - description: Fix GCP auditlog parsing issue on response status + type: bugfix + link: https://github.com/elastic/integrations/pull/3583 +- version: "1.9.1" + changes: + - description: Update readme + type: enhancement + link: https://github.com/elastic/integrations/pull/3103 +- version: "1.9.0" + changes: + - description: Preserve request and response in flattened fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/3390 +- version: "1.8.0" + changes: + - description: Add missing `cloud.provider` field. + type: enhancement + link: https://github.com/elastic/integrations/pull/3274 +- version: "1.7.0" + changes: + - description: Add dashboards for firewall and vpc flow logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/3280 + - description: Add missing mappings for several `event.*` fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/3280 +- version: "1.6.1" + changes: + - description: Clarify the GCP privileges required by the Pub/Sub input. + type: enhancement + link: https://github.com/elastic/integrations/pull/3206 +- version: "1.6.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.5.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.5.0" + changes: + - description: Improve Google Cloud Platform docs. + type: enhancement + link: https://github.com/elastic/integrations/pull/2842 +- version: "1.4.2" + changes: + - description: Remove emtpy values, names with only dots, and invalid client IPs. + type: bugfix + link: https://github.com/elastic/integrations/pull/2747 +- version: "1.4.1" + changes: + - description: Fix quoting of the credentials_json value in policy templates. + type: bugfix + link: https://github.com/elastic/integrations/pull/2712 +- version: "1.4.0" + changes: + - description: Add gcp.dns integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2624 +- version: "1.3.1" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2406 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2251 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1965 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1818 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1661 +- version: "1.0.0" + changes: + - description: Move from experimental to GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1568 + - description: remove experimental from data_sets + type: enhancement + link: https://github.com/elastic/integrations/pull/1717 +- version: "0.3.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1478 +- version: '0.3.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1385 +- version: "0.3.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.3.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.2.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1240 +- version: "0.1.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1045 +- version: "0.0.2" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/846 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/459 diff --git a/packages/gcp/2.13.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.13.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/2.13.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..29baf0ede7 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,397 @@ +--- +description: Pipeline for Google Cloud audit logs + +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - set: + field: gcp.audit.type + copy_from: "json.protoPayload.@type" + ignore_failure: true +## +# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry +# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog +## + - drop: + description: Drop the document if it is not of AuditLog type + if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog' +# .insertId + - set: + field: event.id + copy_from: json.insertId + if: ctx.json?.insertId != null +# .logName + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true +# .severity + - rename: + field: json.severity + target_field: log.level + ignore_missing: true +## +# Extract the type of audit logging data from logName to event.provider +# https://cloud.google.com/pubsub/docs/audit-logging#log_name +## + - dissect: + field: log.logger + pattern: "%{}%2F%{event.provider}" + ignore_missing: true + # NOTE test data fails the spec + ignore_failure: true + + - set: + field: event.kind + value: event + - set: + field: cloud.provider + value: gcp + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 +## +# MonitoredResource +# .resource +# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource +## + - set: + field: cloud.project.id + copy_from: json.resource.labels.project_id + if: ctx.json?.resource?.labels?.project_id != null + - set: + field: cloud.instance.id + copy_from: json.resource.labels.instance_id + if: ctx.json?.resource?.labels?.instance_id != null +## +# MonitoredResourceDescriptor type +# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor +# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list +## + - set: + field: orchestrator.type + value: kubernetes + if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') + - set: + field: orchestrator.cluster.name + copy_from: json.resource.labels.cluster_name + ignore_empty_value: true + if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster') + - set: + field: _temp.type + copy_from: json.protoPayload.resourceName + ignore_empty_value: true + if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster' + - grok: + field: _temp.type + patterns: + - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?' + - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}' + - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}' + - 'api/%{API_VERSION:orchestrator.api_version}' + - '%{RESOURCE_TYPE:orchestrator.resource.type}' + pattern_definitions: + API_VERSION: (v\d+([a-z]+)?(\d+)?) + RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?) + ignore_missing: true + +## +# AuthenticationInfo +# .protoPayload.authenticationInfo +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo +## +# email address of authenticated user (redacted) or service account +# principalEmail -> client.user.email + - rename: + field: json.protoPayload.authenticationInfo.principalEmail + target_field: client.user.email + ignore_missing: true +# identity of requesting first or third party +# principalSubject -> client.user.id + - rename: + field: json.protoPayload.authenticationInfo.principalSubject + target_field: client.user.id + ignore_missing: true + - rename: + field: json.protoPayload.authenticationInfo.authoritySelector + target_field: gcp.audit.authentication_info.authority_selector + ignore_missing: true + + - rename: + field: gcp.audit.authentication_info.principal_email + target_field: client.user.email + if: ctx.client?.user?.email == null + ignore_missing: true + - remove: + field: gcp.audit.authentication_info.principal_email + if: ctx.client?.user?.email == ctx.gcp?.audit?.authentication_info?.principal_email + ignore_missing: true + - rename: + field: gcp.audit.authentication_info.principal_subject + target_field: client.user.id + if: ctx.client?.user?.id == null + ignore_missing: true + - remove: + field: gcp.audit.authentication_info.principal_subject + if: ctx.client?.user?.id == ctx.gcp?.audit?.authentication_info?.principal_subject + ignore_missing: true +## +# AuthorizationInfo +# .protoPayload.authorizationInfo +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo +## + - rename: + field: json.protoPayload.authorizationInfo + target_field: gcp.audit.authorization_info + ignore_missing: true + - foreach: + field: gcp.audit.authorization_info + ignore_missing: true + ignore_failure: true + processor: + rename: + field: _ingest._value.resourceAttributes + target_field: _ingest._value.resource_attributes + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List + +## +# Labels +# .labels +## + - set: + field: gcp.audit.labels + copy_from: json.labels + if: ctx.json?.labels != null +## +# RequestMetadata +# .protoPayload.requestMetadata +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata +## + - convert: + if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip" + type: ip + field: json.protoPayload.requestMetadata.callerIp + target_field: source.ip + ignore_missing: true + - rename: + field: json.protoPayload.requestMetadata.callerSuppliedUserAgent + target_field: user_agent.original + ignore_missing: true + - user_agent: + field: user_agent.original + ignore_missing: true +## +# LogEntryOperation +# .operation +# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation +## +# set only if it is not the same as insertId + - set: + field: gcp.audit.logentry_operation.id + copy_from: json.operation.id + if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id + - script: + lang: painless + description: set event.category and type for long running operation + tag: set-event-type-for-long-operations + if: ctx.json?.operation != null + source: | + def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first; + def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last; + if (first && last) { + return; + } + if (ctx.event.category == null) { + ctx.event.category = new ArrayList(); + } + if (ctx.event.type == null) { + ctx.event.type = new ArrayList(); + } + ctx.event.category.add('session'); + if (first == true && last == false) { + ctx.event.type.add('start'); + } + if (first == false && last == true) { + ctx.event.type.add('end'); + } + +# TODO remove duplicate protoPayload.methodName + - rename: + field: json.protoPayload.methodName + target_field: event.action + ignore_missing: true + - convert: + field: json.protoPayload.numResponseItems + target_field: gcp.audit.num_response_items + type: long + ignore_missing: true + - set: + field: gcp.audit.request + copy_from: json.protoPayload.request + if: ctx.json?.protoPayload?.request != null + - set: + field: gcp.audit.response + copy_from: json.protoPayload.response + if: ctx.json?.protoPayload?.response != null + - remove: + field: gcp.audit.response.status + ignore_missing: true + if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) + - rename: + field: json.protoPayload.response.status + target_field: gcp.audit.response.status_value + ignore_missing: true + if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map) + - rename: + field: json.protoPayload.resourceName + target_field: gcp.audit.resource_name + ignore_missing: true + if: ctx.orchestrator?.type != 'kubernetes' + - rename: + field: json.protoPayload.resourceLocation.currentLocations + target_field: gcp.audit.resource_location.current_locations + ignore_missing: true + - rename: + field: json.protoPayload.serviceName + target_field: gcp.audit.service_name + ignore_missing: true + - rename: + field: gcp.audit.service_name + target_field: service.name + if: ctx.service?.name == null + ignore_missing: true +## +# .protoPayload.Status +# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status +# google.rpc.Code referred in Status can have the following values +# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto +## + - convert: + field: json.protoPayload.status.code + target_field: gcp.audit.status.code + type: long + ignore_missing: true + - rename: + field: json.protoPayload.status.message + target_field: gcp.audit.status.message + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0 + - set: + field: event.outcome + value: failure + if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0 + - set: + field: event.outcome + value: success + if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted + - set: + field: event.outcome + value: failure + if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + +## +# if gcp.audit.authorization_info.[0].granted is true then +# set event.category [network, configuration] and event.type to [access, allowed]; +# Caveat +# 1. protoPayload.resourceName is a single value while authorization_info[].resource +# is a list. +# 2. as per test data authorization_info may not be as per spec. +## + - append: + field: event.category + value: ['network', 'configuration'] + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 + - append: + field: event.type + value: ['access', 'allowed'] + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted + - append: + field: event.type + value: ['access', 'denied'] + if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + +## +# clean-up +## + - remove: + field: + - _temp + - json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + description: Drops null and empty values and dotted keys recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + def m = ((Map) o); + def it = m.entrySet().iterator(); + while (it.hasNext()) { + def e = ((Map.Entry) it.next()); + def key = ((String) e.getKey()); + def value = e.getValue(); + Pattern onlyDotsRegex = /^\.+$/; + if (onlyDotsRegex.matcher(key).matches() || drop(value)) { + it.remove(); + } + } + return (m.size() == 0); + } else if (o instanceof List) { + def l = ((List) o); + l.removeIf(v -> drop(v)); + return (l.length == 0); + } + return false; + } + drop(ctx); +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.13.0/data_stream/audit/fields/agent.yml b/packages/gcp/2.13.0/data_stream/audit/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/2.13.0/data_stream/audit/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/audit/fields/base-fields.yml new file mode 100755 index 0000000000..4a7da76510 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.audit diff --git a/packages/gcp/2.13.0/data_stream/audit/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/audit/fields/ecs.yml new file mode 100755 index 0000000000..4487d9358b --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/fields/ecs.yml @@ -0,0 +1,203 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: API version being used to carry out the action + name: orchestrator.api_version + type: keyword +- description: Name of the cluster. + name: orchestrator.cluster.name + type: keyword +- description: URL of the API used to manage the cluster. + name: orchestrator.cluster.url + type: keyword +- description: The version of the cluster. + name: orchestrator.cluster.version + type: keyword +- description: Namespace in which the action is taking place. + name: orchestrator.namespace + type: keyword +- description: Organization affected by the event (for multi-tenant orchestrator setups). + name: orchestrator.organization + type: keyword +- description: Name of the resource being acted upon. + name: orchestrator.resource.name + type: keyword +- description: Type of resource being acted upon. + name: orchestrator.resource.type + type: keyword +- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). + name: orchestrator.type + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: match_only_text diff --git a/packages/gcp/2.13.0/data_stream/audit/fields/fields.yml b/packages/gcp/2.13.0/data_stream/audit/fields/fields.yml new file mode 100755 index 0000000000..12064f765e --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/fields/fields.yml @@ -0,0 +1,115 @@ +- name: gcp.audit + type: group + fields: + - name: type + type: keyword + description: | + Type property. + - name: authentication_info + type: group + fields: + - name: principal_email + type: keyword + description: "The email address of the authenticated user making the request." + - name: authority_selector + type: keyword + description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority." + - name: principal_subject + type: keyword + description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities." + - name: authorization_info + type: array + description: | + Authorization information for the operation. + fields: + - name: permission + type: keyword + description: "The required IAM permission." + - name: granted + type: boolean + description: "Whether or not authorization for resource and permission was granted." + - name: resource + type: keyword + description: "The resource being accessed, as a REST-style string." + - name: resource_attributes + type: group + fields: + - name: service + type: keyword + description: | + The name of the service. + - name: name + type: keyword + description: | + The name of the resource. + - name: type + type: keyword + description: | + The type of the resource. + - name: labels + type: flattened + description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined." + - name: logentry_operation + type: group + fields: + - name: id + type: keyword + description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation." + - name: producer + type: keyword + description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique." + - name: first + type: boolean + description: "Optional. Set this to True if this is the first log entry in the operation." + - name: last + type: boolean + description: "Optional. Set this to True if this is the last log entry in the operation." + - name: method_name + type: keyword + description: | + The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. + - name: num_response_items + type: long + description: | + The number of items returned from a List or Query API method, if applicable. + - name: request + type: flattened + - name: request_metadata + type: group + fields: + - name: caller_ip + type: ip + description: "The IP address of the caller." + - name: raw.caller_ip + type: keyword + description: "The raw IP address of the caller." + - name: caller_supplied_user_agent + type: keyword + description: | + The user agent of the caller. This information is not authenticated and should be treated accordingly. + - name: response + type: flattened + - name: resource_name + type: keyword + description: | + The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. + - name: resource_location + type: group + fields: + - name: current_locations + type: array + description: | + Current locations of the resource. + - name: service_name + type: keyword + description: | + The name of the API service performing the operation. For example, datastore.googleapis.com. + - name: status + type: group + fields: + - name: code + type: integer + description: "The status code, which should be an enum value of google.rpc.Code." + - name: message + type: keyword + description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client." diff --git a/packages/gcp/2.13.0/data_stream/audit/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/audit/fields/package-fields.yml new file mode 100755 index 0000000000..88482fd9c1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/fields/package-fields.yml @@ -0,0 +1,63 @@ +- name: gcp + type: group + fields: + - name: destination.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: destination.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. + - name: source.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: source.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.13.0/data_stream/audit/manifest.yml b/packages/gcp/2.13.0/data_stream/audit/manifest.yml new file mode 100755 index 0000000000..9386ed5ea0 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/manifest.yml @@ -0,0 +1,65 @@ +type: logs +title: Google Cloud Platform (GCP) audit logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-audit + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-audit + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: alternative_host + type: text + title: Alternative host + multi: false + required: false + show_user: false + description: "Overrides the default Pub/Sub service address and disables TLS. For testing." + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) audit logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input diff --git a/packages/gcp/2.13.0/data_stream/audit/sample_event.json b/packages/gcp/2.13.0/data_stream/audit/sample_event.json new file mode 100755 index 0000000000..095cfe4a14 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/audit/sample_event.json @@ -0,0 +1,121 @@ +{ + "@timestamp": "2019-12-19T00:44:25.051Z", + "agent": { + "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "client": { + "user": { + "email": "xxx@xxx.xxx" + } + }, + "cloud": { + "project": { + "id": "elastic-beats" + }, + "provider": "gcp" + }, + "data_stream": { + "dataset": "gcp.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "beta.compute.instances.aggregatedList", + "agent_id_status": "verified", + "category": [ + "network", + "configuration" + ], + "created": "2022-06-28T02:45:52.230Z", + "dataset": "gcp.audit", + "id": "yonau2dg2zi", + "ingested": "2022-06-28T02:45:53Z", + "kind": "event", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authorization_info": [ + { + "granted": true, + "permission": "compute.instances.list", + "resource_attributes": { + "name": "projects/elastic-beats", + "service": "resourcemanager", + "type": "resourcemanager.projects" + } + } + ], + "num_response_items": 61, + "request": { + "@type": "type.googleapis.com/compute.instances.aggregatedList" + }, + "resource_location": { + "current_locations": [ + "global" + ] + }, + "resource_name": "projects/elastic-beats/global/instances", + "response": { + "@type": "core.k8s.io/v1.Status", + "apiVersion": "v1", + "details": { + "group": "batch", + "kind": "jobs", + "name": "gsuite-exporter-1589294700", + "uid": "2beff34a-945f-11ea-bacf-42010a80007f" + }, + "kind": "Status", + "status_value": "Success" + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "service": { + "name": "compute.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "gcp-audit" + ], + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "71.0." + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/billing/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/billing/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..ed6242e5ba --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/agent/stream/stream.yml.hbs @@ -0,0 +1,12 @@ +metricsets: ["billing"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +dataset_id: {{dataset_id}} +table_pattern: {{table_pattern}} +cost_type: {{cost_type}} diff --git a/packages/gcp/2.13.0/data_stream/billing/fields/agent.yml b/packages/gcp/2.13.0/data_stream/billing/fields/agent.yml new file mode 100755 index 0000000000..55b1dd9741 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/billing/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/billing/fields/base-fields.yml new file mode 100755 index 0000000000..c6cc715075 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.billing diff --git a/packages/gcp/2.13.0/data_stream/billing/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/billing/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/billing/fields/fields.yml b/packages/gcp/2.13.0/data_stream/billing/fields/fields.yml new file mode 100755 index 0000000000..01a7e615bf --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/fields/fields.yml @@ -0,0 +1,22 @@ +- name: gcp.billing + type: group + description: Google Cloud Billing metrics + fields: + - name: cost_type + type: keyword + description: Cost types include regular, tax, adjustment, and rounding_error. + - name: invoice_month + type: keyword + description: Billing report month. + - name: project_id + type: keyword + description: Project ID of the billing report belongs to. + - name: project_name + type: keyword + description: Project Name of the billing report belongs to. + - name: total + type: float + description: Total billing amount. + - name: billing_account_id + type: keyword + description: Project Billing Account ID. diff --git a/packages/gcp/2.13.0/data_stream/billing/manifest.yml b/packages/gcp/2.13.0/data_stream/billing/manifest.yml new file mode 100755 index 0000000000..0b2342e949 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/manifest.yml @@ -0,0 +1,34 @@ +title: "GCP Billing Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Billing Metrics + description: Collect GCP Billing Metrics + vars: + - name: period + type: text + title: Period + default: 24h + - name: dataset_id + type: text + title: Dataset ID + multi: false + required: true + show_user: true + description: "Dataset ID that points to the top-level container which contains the actual billing tables." + - name: table_pattern + type: text + title: Table pattern + multi: false + required: true + show_user: true + description: "Daily cost detail billing table name prefix." + default: gcp_billing_export_v1 + - name: cost_type + type: text + title: Cost Type + multi: false + required: true + show_user: true + description: "The type of cost this line item represents: regular, tax, adjustment, or rounding error" + default: regular diff --git a/packages/gcp/2.13.0/data_stream/billing/sample_event.json b/packages/gcp/2.13.0/data_stream/billing/sample_event.json new file mode 100755 index 0000000000..2acd0b4308 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/billing/sample_event.json @@ -0,0 +1,35 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "01475F-5B1080-1137E7" + }, + "project": { + "id": "elastic-bi", + "name": "elastic-containerlib-prod" + }, + "provider": "gcp" + }, + "event": { + "dataset": "gcp.billing", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "billing": { + "billing_account_id": "01475F-5B1080-1137E7", + "cost_type": "regular", + "invoice_month": "202106", + "project_id": "containerlib-prod-12763", + "project_name": "elastic-containerlib-prod", + "total": 4717.170681 + } + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/compute/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/compute/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..dd973286ef --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/agent/stream/stream.yml.hbs @@ -0,0 +1,38 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: compute + metric_types: + - "firewall/dropped_bytes_count" + - "firewall/dropped_packets_count" + - "instance/cpu/reserved_cores" + - "instance/cpu/usage_time" + - "instance/cpu/utilization" + - "instance/disk/read_bytes_count" + - "instance/disk/read_ops_count" + - "instance/disk/write_bytes_count" + - "instance/disk/write_ops_count" + - "instance/memory/balloon/ram_size" + - "instance/memory/balloon/ram_used" + - "instance/memory/balloon/swap_in_bytes_count" + - "instance/memory/balloon/swap_out_bytes_count" + - "instance/network/received_bytes_count" + - "instance/network/received_packets_count" + - "instance/network/sent_bytes_count" + - "instance/network/sent_packets_count" + - "instance/uptime" + - "instance/uptime_total" diff --git a/packages/gcp/2.13.0/data_stream/compute/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/compute/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..941808c0d2 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,87 @@ +--- +description: Pipeline for parsing GCP Compute metrics. +processors: + - rename: + field: gcp.metrics.firewall.dropped.bytes + target_field: gcp.compute.firewall.dropped.bytes + ignore_missing: true + - rename: + field: gcp.metrics.firewall.dropped_packets_count.value + target_field: gcp.compute.firewall.dropped_packets_count.value + ignore_missing: true + - rename: + field: gcp.metrics.instance.cpu.reserved_cores.value + target_field: gcp.compute.instance.cpu.reserved_cores.value + ignore_missing: true + - rename: + field: gcp.metrics.instance.cpu.usage_time.sec + target_field: gcp.compute.instance.cpu.usage_time.sec + ignore_missing: true + - rename: + field: gcp.metrics.instance.cpu.usage.pct + target_field: gcp.compute.instance.cpu.usage.pct + ignore_missing: true + - rename: + field: gcp.metrics.instance.disk.read.bytes + target_field: gcp.compute.instance.disk.read.bytes + ignore_missing: true + - rename: + field: gcp.metrics.instance.disk.read_ops_count.value + target_field: gcp.compute.instance.disk.read_ops_count.value + ignore_missing: true + - rename: + field: gcp.metrics.instance.disk.write.bytes + target_field: gcp.compute.instance.disk.write.bytes + ignore_missing: true + - rename: + field: gcp.metrics.instance.disk.write_ops_count.value + target_field: gcp.compute.instance.disk.write_ops_count.value + ignore_missing: true + - rename: + field: gcp.metrics.instance.memory.balloon.ram_size.value + target_field: gcp.compute.instance.memory.balloon.ram_size.value + ignore_missing: true + - rename: + field: gcp.metrics.instance.memory.balloon.ram_used.value + target_field: gcp.compute.instance.memory.balloon.ram_used.value + ignore_missing: true + - rename: + field: gcp.metrics.instance.memory.balloon.swap_in.bytes + target_field: gcp.compute.instance.memory.balloon.swap_in.bytes + ignore_missing: true + - rename: + field: gcp.metrics.instance.memory.balloon.swap_out.bytes + target_field: gcp.compute.instance.memory.balloon.swap_out.bytes + ignore_missing: true + - rename: + field: gcp.metrics.instance.network.ingress.bytes + target_field: gcp.compute.instance.network.ingress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.instance.network.ingress.packets.count + target_field: gcp.compute.instance.network.ingress.packets.count + ignore_missing: true + - rename: + field: gcp.metrics.instance.network.egress.bytes + target_field: gcp.compute.instance.network.egress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.instance.network.egress.packets.count + target_field: gcp.compute.instance.network.egress.packets.count + ignore_missing: true + - rename: + field: gcp.metrics.instance.uptime.sec + target_field: gcp.compute.instance.uptime.sec + ignore_missing: true + - rename: + field: gcp.metrics.instance.uptime_total.sec + target_field: gcp.compute.instance.uptime_total.sec + ignore_missing: true + - remove: + field: + - gcp.metrics + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/compute/fields/agent.yml b/packages/gcp/2.13.0/data_stream/compute/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/compute/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/compute/fields/base-fields.yml new file mode 100755 index 0000000000..e53dc6c3e2 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.compute diff --git a/packages/gcp/2.13.0/data_stream/compute/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/compute/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/compute/fields/fields.yml b/packages/gcp/2.13.0/data_stream/compute/fields/fields.yml new file mode 100755 index 0000000000..c55330dd65 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/fields/fields.yml @@ -0,0 +1,61 @@ +- name: gcp.compute + description: Google Cloud Compute metrics + type: group + fields: + - name: firewall.dropped.bytes + type: long + description: Incoming bytes dropped by the firewall + - name: firewall.dropped_packets_count.value + type: long + description: Incoming packets dropped by the firewall + - name: instance.cpu.reserved_cores.value + type: double + description: Number of cores reserved on the host of the instance + - name: instance.cpu.usage_time.sec + type: double + description: Usage for all cores in seconds + - name: instance.cpu.usage.pct + type: double + description: The fraction of the allocated CPU that is currently in use on the instance + - name: instance.disk.read.bytes + type: long + description: Count of bytes read from disk + - name: instance.disk.read_ops_count.value + type: long + description: Count of disk read IO operations + - name: instance.disk.write.bytes + type: long + description: Count of bytes written to disk + - name: instance.disk.write_ops_count.value + type: long + description: Count of disk write IO operations + - name: instance.memory.balloon.ram_size.value + type: long + description: The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. + - name: instance.memory.balloon.ram_used.value + type: long + description: Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. + - name: instance.memory.balloon.swap_in.bytes + type: long + description: The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. + - name: instance.memory.balloon.swap_out.bytes + type: long + description: The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. + - name: instance.network.ingress.bytes + type: long + description: Count of bytes received from the network + - name: instance.network.ingress.packets.count + type: long + description: Count of packets received from the network + - name: instance.network.egress.bytes + type: long + description: Count of bytes sent over the network + - name: instance.network.egress.packets.count + type: long + description: Count of packets sent over the network + - name: instance.uptime.sec + type: long + description: Number of seconds the VM has been running. + - name: instance.uptime_total.sec + type: long + description: Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.13.0/data_stream/compute/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/compute/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/compute/manifest.yml b/packages/gcp/2.13.0/data_stream/compute/manifest.yml new file mode 100755 index 0000000000..b5fba4c90e --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP Compute Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Compute Metrics + description: Collect GCP Compute Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/compute/sample_event.json b/packages/gcp/2.13.0/data_stream/compute/sample_event.json new file mode 100755 index 0000000000..62aabe7bdd --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/compute/sample_event.json @@ -0,0 +1,84 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.compute", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "compute": { + "firewall": { + "dropped": { + "bytes": 421 + }, + "dropped_packets_count": { + "value": 4 + } + }, + "instance": { + "cpu": { + "reserved_cores": { + "value": 1 + }, + "usage": { + "pct": 0.07259952346383708 + }, + "usage_time": { + "sec": 4.355971407830225 + } + }, + "memory": { + "balloon": { + "ram_size": { + "value": 4128378880 + }, + "ram_used": { + "value": 2190848000 + }, + "swap_in": { + "bytes": 0 + }, + "swap_out": { + "bytes": 0 + } + } + }, + "uptime": { + "sec": 60.00000000000091 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "compute", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/dataproc/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/dataproc/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..914e062aa2 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/agent/stream/stream.yml.hbs @@ -0,0 +1,37 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: dataproc + metric_types: + - "cluster/hdfs/datanodes" + - "cluster/hdfs/storage_capacity" + - "cluster/hdfs/storage_utilization" + - "cluster/hdfs/unhealthy_blocks" + - "cluster/job/failed_count" + - "cluster/job/running_count" + - "cluster/job/submitted_count" + - "cluster/operation/failed_count" + - "cluster/operation/running_count" + - "cluster/operation/submitted_count" + - "cluster/yarn/allocated_memory_percentage" + - "cluster/yarn/apps" + - "cluster/yarn/containers" + - "cluster/yarn/memory_size" + - "cluster/yarn/nodemanagers" + - "cluster/yarn/pending_memory_size" + - "cluster/yarn/virtual_cores" + - "cluster/job/completion_time" + - "cluster/job/duration" + - "cluster/operation/completion_time" + - "cluster/operation/duration" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..2bf0693774 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,100 @@ +--- +description: Pipeline for parsing GCP Dataproc metrics. +processors: + - rename: + field: gcp.metrics.batch.spark.executors.count + target_field: gcp.dataproc.batch.spark.executors.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.hdfs.datanodes.count + target_field: gcp.dataproc.cluster.hdfs.datanodes.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.hdfs.storage_capacity.value + target_field: gcp.dataproc.cluster.hdfs.storage_capacity.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.hdfs.storage_utilization.value + target_field: gcp.dataproc.cluster.hdfs.storage_utilization.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.hdfs.unhealthy_blocks.count + target_field: gcp.dataproc.cluster.hdfs.unhealthy_blocks.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.job.failed.count + target_field: gcp.dataproc.cluster.job.failed.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.job.running.count + target_field: gcp.dataproc.cluster.job.running.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.job.submitted.count + target_field: gcp.dataproc.cluster.job.submitted.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.operation.failed.count + target_field: gcp.dataproc.cluster.operation.failed.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.operation.running.count + target_field: gcp.dataproc.cluster.operation.running.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.operation.submitted.count + target_field: gcp.dataproc.cluster.operation.submitted.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.allocated_memory_percentage.value + target_field: gcp.dataproc.cluster.yarn.allocated_memory_percentage.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.apps.count + target_field: gcp.dataproc.cluster.yarn.apps.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.containers.count + target_field: gcp.dataproc.cluster.yarn.containers.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.memory_size.value + target_field: gcp.dataproc.cluster.yarn.memory_size.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.nodemanagers.count + target_field: gcp.dataproc.cluster.yarn.nodemanagers.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.pending_memory_size.value + target_field: gcp.dataproc.cluster.yarn.pending_memory_size.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.yarn.virtual_cores.count + target_field: gcp.dataproc.cluster.yarn.virtual_cores.count + ignore_missing: true + - rename: + field: gcp.metrics.cluster.job.completion_time.value + target_field: gcp.dataproc.cluster.job.completion_time.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.job.duration.value + target_field: gcp.dataproc.cluster.job.duration.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.operation.completion_time.value + target_field: gcp.dataproc.cluster.operation.completion_time.value + ignore_missing: true + - rename: + field: gcp.metrics.cluster.operation.duration.value + target_field: gcp.dataproc.cluster.operation.duration.value + ignore_missing: true + - remove: + ignore_missing: true + field: + - gcp.metrics + +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/dataproc/fields/agent.yml b/packages/gcp/2.13.0/data_stream/dataproc/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/dataproc/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/dataproc/fields/base-fields.yml new file mode 100755 index 0000000000..0dbeaa24e6 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.dataproc diff --git a/packages/gcp/2.13.0/data_stream/dataproc/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/dataproc/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/dataproc/fields/fields.yml b/packages/gcp/2.13.0/data_stream/dataproc/fields/fields.yml new file mode 100755 index 0000000000..e7086b5977 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/fields/fields.yml @@ -0,0 +1,74 @@ +- name: gcp.dataproc + description: Google Cloud Dataproc metrics + type: group + fields: + - name: batch.spark.executors.count + type: long + description: Indicates the number of Batch Spark executors. + - name: cluster.hdfs.datanodes.count + type: long + description: Indicates the number of HDFS DataNodes that are running inside a cluster. + - name: cluster.hdfs.storage_capacity.value + type: double + description: Indicates capacity of HDFS system running on cluster in GB. + - name: cluster.hdfs.storage_utilization.value + type: double + description: The percentage of HDFS storage currently used. + - name: cluster.hdfs.unhealthy_blocks.count + type: long + description: Indicates the number of unhealthy blocks inside the cluster. + - name: cluster.job.failed.count + type: long + description: Indicates the number of jobs that have failed on a cluster. + - name: cluster.job.running.count + type: long + description: Indicates the number of jobs that are running on a cluster. + - name: cluster.job.submitted.count + type: long + description: Indicates the number of jobs that have been submitted to a cluster. + - name: cluster.operation.failed.count + type: long + description: Indicates the number of operations that have failed on a cluster. + - name: cluster.operation.running.count + type: long + description: Indicates the number of operations that are running on a cluster. + - name: cluster.operation.submitted.count + type: long + description: Indicates the number of operations that have been submitted to a cluster. + - name: cluster.yarn.allocated_memory_percentage.value + type: double + description: The percentage of YARN memory is allocated. + - name: cluster.yarn.apps.count + type: long + description: Indicates the number of active YARN applications. + - name: cluster.yarn.containers.count + type: long + description: Indicates the number of YARN containers. + - name: cluster.yarn.memory_size.value + type: double + description: Indicates the YARN memory size in GB. + - name: cluster.yarn.nodemanagers.count + type: long + description: Indicates the number of YARN NodeManagers running inside cluster. + - name: cluster.yarn.pending_memory_size.value + type: double + description: The current memory request, in GB, that is pending to be fulfilled by the scheduler. + - name: cluster.yarn.virtual_cores.count + type: long + description: Indicates the number of virtual cores in YARN. + - name: cluster.job.completion_time.value + type: object + object_type: histogram + description: The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. + - name: cluster.job.duration.value + type: object + object_type: histogram + description: The time jobs have spent in a given state. + - name: cluster.operation.completion_time.value + type: object + object_type: histogram + description: The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. + - name: cluster.operation.duration.value + type: object + object_type: histogram + description: The time operations have spent in a given state. diff --git a/packages/gcp/2.13.0/data_stream/dataproc/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/dataproc/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/dataproc/manifest.yml b/packages/gcp/2.13.0/data_stream/dataproc/manifest.yml new file mode 100755 index 0000000000..8c46663bcc --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/manifest.yml @@ -0,0 +1,25 @@ +title: "GCP Dataproc Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Dataproc Metrics + description: Collect GCP Dataproc Metrics + vars: + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/dataproc/sample_event.json b/packages/gcp/2.13.0/data_stream/dataproc/sample_event.json new file mode 100755 index 0000000000..e95592fbfb --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dataproc/sample_event.json @@ -0,0 +1,51 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.dataproc", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "dataproc": { + "cluster": { + "hdfs": { + "datanodes": { + "count": 15 + } + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "dataproc", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.13.0/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/2.13.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..c9acc2a47c --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,375 @@ +--- +description: Pipeline for Google Cloud DNS logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - set: + field: event.kind + value: event + - set: + field: event.category + value: network + - set: + field: event.action + value: dns-query + - set: + field: cloud.provider + value: gcp + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - rename: + field: json.severity + target_field: log.level + ignore_missing: true + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - convert: + field: json.resource.labels.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.resource.labels.location + target_field: cloud.region + type: string + ignore_failure: true + - rename: + field: json.jsonPayload.authAnswer + target_field: gcp.dns.auth_answer + ignore_missing: true + - rename: + field: json.jsonPayload.destinationIP + target_field: gcp.dns.destination_ip + ignore_missing: true + - set: + field: destination.address + copy_from: gcp.dns.destination_ip + ignore_failure: true + - convert: + field: gcp.dns.destination_ip + target_field: destination.ip + type: ip + ignore_failure: true + - rename: + field: json.jsonPayload.egressError + target_field: gcp.dns.egress_error + ignore_missing: true + - rename: + field: json.jsonPayload.protocol + target_field: gcp.dns.protocol + ignore_missing: true + - set: + field: network.transport + copy_from: gcp.dns.protocol + ignore_failure: true + - lowercase: + field: network.transport + ignore_missing: true + - set: + field: network.iana_number + value: '6' + if: ctx.network?.transport == "tcp" + - set: + field: network.iana_number + value: '17' + if: ctx.network?.transport == "udp" + - set: + field: network.protocol + value: dns + - rename: + field: json.jsonPayload.queryName + target_field: gcp.dns.query_name + ignore_missing: true + - set: + field: dns.question.name + copy_from: gcp.dns.query_name + ignore_failure: true + - gsub: + field: dns.question.name + pattern: "[.]$" + replacement: "" + ignore_failure: true + - registered_domain: + field: dns.question.name + target_field: dns.question + - remove: + field: dns.question.domain + ignore_missing: true + - rename: + field: json.jsonPayload.queryType + target_field: gcp.dns.query_type + ignore_missing: true + - set: + field: dns.question.type + copy_from: gcp.dns.query_type + ignore_failure: true + - rename: + field: json.jsonPayload.rdata + target_field: gcp.dns.rdata + ignore_missing: true +### Internal DNS query parsing + - script: + if: ctx?.gcp?.dns?.rdata != null + lang: painless + tag: Process DNS RData + description: This script processes the DNS RData into `dns.answers`. + source: | + def rdata = ctx.gcp.dns.rdata; + def dns_answers = []; + + // Check for truncated answers. + def truncated = rdata.endsWith("...") ? 1 : 0; + + // Process answers. + def rdata_answers = /\n/.split(rdata); + + for (def i = 0; i < rdata_answers.length - truncated; i++) { + def answer_parts = /\t/.split(rdata_answers[i]); + + // Assign answer parts. + def name = answer_parts[0]; + def ttl = Long.parseLong(answer_parts[1]); + def cls = answer_parts[2]; + def type = answer_parts[3]; + def data = answer_parts[4]; + + // Remove trailing fullstop. + if (name.endsWith(".")) { + name = name.substring(0, name.length() - 1); + } + + if (data.endsWith(".")) { + data = data.substring(0, data.length() - 1); + } + + // Uppercase type. + type = type.toUpperCase(); + + dns_answers.add([ + "name": name, + "ttl": ttl, + "class": cls, + "type": type, + "data": data + ]); + } + ctx.dns.answers = dns_answers; +### External DNS query parsing + - script: + lang: painless + ignore_failure: true + description: This script processes the Public DNS RData into `dns.answers`. + if: ctx.json?.jsonPayload?.structuredRdata != null && ctx.json?.jsonPayload?.structuredRdata instanceof List + source: >- + List answers = new ArrayList(); + for (answer in ctx.json.jsonPayload.structuredRdata) { + Map new_answer = new HashMap(); + if(answer.class != null) { + new_answer.put("class", answer.class); + } + if(answer.type != null) { + new_answer.put("type", answer.type); + } + if(answer.ttl != null) { + new_answer.put("ttl", Long.parseLong(answer.ttl)); + } + if(answer.rvalue != null) { + new_answer.put("data", answer.rvalue); + if (new_answer.data != null && new_answer.data.length() > 0 && new_answer.data.substring(new_answer.data.length() - 1) == '.') { + new_answer.data = new_answer.data.substring(0, new_answer.data.length() - 1); + } + if (answer.domainName != null) { + new_answer.put("name", answer.domainName); + } + } + answers.add(new_answer); + } + if(ctx.dns.answers == null) { + ctx.dns.put('answers',new ArrayList()); + } + ctx.dns.answers = answers; + - script: + lang: painless + ignore_failure: true + if: ctx.dns?.answers != null && ctx.dns?.answers instanceof List + source: >- + List answers = new ArrayList(); + if(ctx.related == null) { + ctx.put('related', new HashMap()); + } + if(ctx.related.ip == null) { + ctx.related.put('ip',new ArrayList()); + } + if(ctx.dns.resolved_ip == null) { + ctx.dns.put('resolved_ip',new ArrayList()); + } + if(ctx.related.hosts == null) { + ctx.related.put('hosts',new ArrayList()); + } + for (answer in ctx.dns.answers) { + if(['A','AAAA'].contains(answer.type)) { + if(!ctx.related.ip.contains(answer.data)) { + ctx.related.ip.add(answer.data); + } + if(!ctx.dns.resolved_ip.contains(answer.data)) { + ctx.dns.resolved_ip.add(answer.data); + } + } + if(['CNAME'].contains(answer.type) && !ctx.related.hosts.contains(answer.data)) { + ctx.related.hosts.add(answer.data); + } + if(['MX'].contains(answer.type)) { + def mx_server = / /.split(answer.data); + if(mx_server[1] != null && !ctx.related.hosts.contains(mx_server[1])) + ctx.related.hosts.add(mx_server[1]); + } + } + - rename: + field: json.jsonPayload.responseCode + target_field: gcp.dns.response_code + ignore_missing: true + - set: + field: dns.response_code + copy_from: gcp.dns.response_code + ignore_failure: true + - set: + field: event.outcome + value: success + if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR" + - set: + field: event.outcome + value: failure + if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR" + - rename: + field: json.jsonPayload.serverLatency + target_field: gcp.dns.server_latency + ignore_missing: true + - rename: + field: json.jsonPayload.sourceIP + target_field: gcp.dns.source_ip + ignore_missing: true + - set: + field: source.address + copy_from: gcp.dns.source_ip + ignore_failure: true + - convert: + field: gcp.dns.source_ip + target_field: source.ip + type: ip + ignore_failure: true + - rename: + field: json.jsonPayload.sourceNetwork + target_field: gcp.dns.source_network + ignore_missing: true + - rename: + field: json.jsonPayload.vmInstanceIdString + target_field: gcp.dns.vm_instance_id + ignore_missing: true + - set: + field: cloud.instance.id + copy_from: gcp.dns.vm_instance_id + ignore_failure: true + - rename: + field: json.jsonPayload.vmInstanceName + target_field: gcp.dns.vm_instance_name + ignore_missing: true + - set: + field: cloud.instance.name + copy_from: gcp.dns.vm_instance_name + ignore_failure: true + - gsub: + field: cloud.instance.name + pattern: "^.*[.]" + replacement: "" + ignore_failure: true + - rename: + field: json.jsonPayload.vmProjectId + target_field: gcp.dns.vm_project_id + ignore_missing: true + - rename: + field: json.jsonPayload.vmZoneName + target_field: gcp.dns.vm_zone_name + ignore_missing: true + - set: + field: cloud.availability_zone + copy_from: gcp.dns.vm_zone_name + ignore_failure: true + - rename: + field: json.resource.labels.target_type + target_field: gcp.dns.target_type + ignore_missing: true + - rename: + field: json.resource.labels.source_type + target_field: gcp.dns.source_type + ignore_missing: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.hosts + value: "{{dns.question.name}}" + allow_duplicates: false + if: ctx.dns?.question?.name != null + - remove: + field: json + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.13.0/data_stream/dns/fields/agent.yml b/packages/gcp/2.13.0/data_stream/dns/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/2.13.0/data_stream/dns/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/dns/fields/base-fields.yml new file mode 100755 index 0000000000..bc80931b38 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.dns diff --git a/packages/gcp/2.13.0/data_stream/dns/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/dns/fields/ecs.yml new file mode 100755 index 0000000000..a9047fb7ae --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/fields/ecs.yml @@ -0,0 +1,156 @@ +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + normalize: + - array + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + normalize: + - array + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip diff --git a/packages/gcp/2.13.0/data_stream/dns/fields/fields.yml b/packages/gcp/2.13.0/data_stream/dns/fields/fields.yml new file mode 100755 index 0000000000..0edf352fb0 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/fields/fields.yml @@ -0,0 +1,56 @@ +- name: gcp.dns + type: group + fields: + - name: auth_answer + type: boolean + description: Authoritative answer. + - name: destination_ip + type: ip + description: Destination IP address, only applicable for forwarding cases. + - name: egress_error + type: keyword + description: Egress proxy error. + - name: protocol + type: keyword + description: Protocol TCP or UDP. + - name: query_name + type: keyword + description: DNS query name. + - name: query_type + type: keyword + description: DNS query type. + - name: rdata + type: keyword + description: DNS answer in presentation format, truncated to 260 bytes. + - name: response_code + type: keyword + description: Response code. + - name: server_latency + type: integer + description: Server latency. + - name: source_ip + type: ip + description: Source IP address of the query. + - name: source_network + type: keyword + description: Source network of the query. + - name: vm_instance_id + type: keyword + description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. + - name: vm_instance_name + type: keyword + description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. + - name: vm_project_id + type: keyword + description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. + - name: vm_zone_name + type: keyword + description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. + - name: source_type + type: keyword + description: >- + Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet + - name: target_type + type: keyword + description: >- + Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet diff --git a/packages/gcp/2.13.0/data_stream/dns/manifest.yml b/packages/gcp/2.13.0/data_stream/dns/manifest.yml new file mode 100755 index 0000000000..202ad033f7 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/manifest.yml @@ -0,0 +1,65 @@ +type: logs +title: Google Cloud Platform (GCP) DNS logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-dns + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-dns + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: alternative_host + type: text + title: Alternative host + multi: false + required: false + show_user: false + description: "Overrides the default Pub/Sub service address and disables TLS. For testing." + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-dns + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input diff --git a/packages/gcp/2.13.0/data_stream/dns/sample_event.json b/packages/gcp/2.13.0/data_stream/dns/sample_event.json new file mode 100755 index 0000000000..060beed6e6 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/dns/sample_event.json @@ -0,0 +1,105 @@ +{ + "@timestamp": "2021-12-12T15:59:40.446Z", + "agent": { + "ephemeral_id": "87190725-9632-41a5-ba26-ebffca397d74", + "id": "0168f0f0-b64d-4a7a-ba00-c309f9e7f0ca", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "cloud": { + "project": { + "id": "key-reference-123456" + }, + "provider": "gcp", + "region": "global" + }, + "data_stream": { + "dataset": "gcp.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "216.239.32.106", + "ip": "216.239.32.106" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "67.43.156.13", + "name": "asdf.gcp.example.com.", + "ttl": 300, + "type": "A" + } + ], + "question": { + "name": "asdf.gcp.example.com", + "registered_domain": "example.com", + "subdomain": "asdf.gcp", + "top_level_domain": "com", + "type": "A" + }, + "resolved_ip": [ + "67.43.156.13" + ], + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "0168f0f0-b64d-4a7a-ba00-c309f9e7f0ca", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "dns-query", + "agent_id_status": "verified", + "category": "network", + "created": "2022-10-03T22:33:56.157Z", + "dataset": "gcp.dns", + "id": "zir4wud11tm", + "ingested": "2022-10-03T22:33:57Z", + "kind": "event", + "outcome": "success" + }, + "gcp": { + "dns": { + "auth_answer": true, + "destination_ip": "216.239.32.106", + "protocol": "UDP", + "query_name": "asdf.gcp.example.com.", + "query_type": "A", + "response_code": "NOERROR", + "server_latency": 0, + "source_type": "internet", + "target_type": "public-zone" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/key-reference-123456/logs/dns.googleapis.com%2Fdns_queries" + }, + "network": { + "iana_number": "17", + "protocol": "dns", + "transport": "udp" + }, + "related": { + "hosts": [ + "asdf.gcp.example.com" + ], + "ip": [ + "67.43.156.13", + "216.239.32.106" + ] + }, + "tags": [ + "forwarded", + "gcp-dns" + ] +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/firestore/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/firestore/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..646db263d0 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/agent/stream/stream.yml.hbs @@ -0,0 +1,22 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: firestore + metric_types: + - "document/delete_count" + - "document/read_count" + - "document/write_count" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..8556ebb766 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,23 @@ +--- +description: Pipeline for parsing GCP Firestore metrics. +processors: + - rename: + field: gcp.metrics.document.delete.count + target_field: gcp.firestore.document.delete.count + ignore_missing: true + - rename: + field: gcp.metrics.document.read.count + target_field: gcp.firestore.document.read.count + ignore_missing: true + - rename: + field: gcp.metrics.document.write.count + target_field: gcp.firestore.document.write.count + ignore_missing: true + - remove: + field: + - gcp.metrics + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/firestore/fields/agent.yml b/packages/gcp/2.13.0/data_stream/firestore/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/firestore/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/firestore/fields/base-fields.yml new file mode 100755 index 0000000000..7d9cfc69ef --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.firestore diff --git a/packages/gcp/2.13.0/data_stream/firestore/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/firestore/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/firestore/fields/fields.yml b/packages/gcp/2.13.0/data_stream/firestore/fields/fields.yml new file mode 100755 index 0000000000..e470f84b87 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/fields/fields.yml @@ -0,0 +1,13 @@ +- name: gcp.firestore + description: Google Cloud Firestore metrics + type: group + fields: + - name: document.delete.count + type: long + description: The number of successful document deletes. + - name: document.read.count + type: long + description: The number of successful document reads from queries or lookups. + - name: document.write.count + type: long + description: The number of successful document writes. diff --git a/packages/gcp/2.13.0/data_stream/firestore/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/firestore/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/firestore/manifest.yml b/packages/gcp/2.13.0/data_stream/firestore/manifest.yml new file mode 100755 index 0000000000..0b4061f8a5 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP Firestore Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Firestore Metrics + description: Collect GCP Firestore Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/firestore/sample_event.json b/packages/gcp/2.13.0/data_stream/firestore/sample_event.json new file mode 100755 index 0000000000..ddfe07c3a2 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firestore/sample_event.json @@ -0,0 +1,55 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.firestore", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "firestore": { + "document": { + "delete": { + "count": 3 + }, + "read": { + "count": 10 + }, + "write": { + "count": 1 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "firestore", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.13.0/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/2.13.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..05c30443fa --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,410 @@ +--- +description: Pipeline for Google Cloud Firewall Logs + +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - community_id: + source_ip: json.jsonPayload.connection.src_ip + source_port: json.jsonPayload.connection.src_port + destination_ip: json.jsonPayload.connection.dest_ip + destination_port: json.jsonPayload.connection.dest_port + iana_number: json.jsonPayload.connection.protocol + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - set: + field: event.kind + value: event + - set: + field: event.category + value: network + - set: + field: event.action + value: firewall-rule + - set: + field: cloud.provider + value: gcp + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - rename: + field: json.resource.labels.subnetwork_name + target_field: network.name + ignore_missing: true + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - rename: + field: json.jsonPayload.disposition + target_field: event.type + if: ctx?.json?.jsonPayload?.disposition != null + - set: + field: event.type + value: connection + if: ctx?.event?.type != null + - lowercase: + field: event.type + - set: + field: network.direction + value: inbound + if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS" + - set: + field: network.direction + value: outbound + if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS" + - set: + field: network.direction + value: unknown + if: ctx?.network?.direction == null + - rename: + field: json.jsonPayload.vpc + target_field: json.jsonPayload.src_vpc + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.instance + target_field: json.jsonPayload.src_instance + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.location + target_field: json.jsonPayload.src_location + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_vpc + target_field: json.jsonPayload.dest_vpc + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_instance + target_field: json.jsonPayload.dest_instance + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_location + target_field: json.jsonPayload.dest_location + if: ctx?.network?.direction == "outbound" + ignore_missing: true + - rename: + field: json.jsonPayload.vpc + target_field: json.jsonPayload.dest_vpc + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.instance + target_field: json.jsonPayload.dest_instance + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.location + target_field: json.jsonPayload.dest_location + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_vpc + target_field: json.jsonPayload.src_vpc + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_instance + target_field: json.jsonPayload.src_instance + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.remote_location + target_field: json.jsonPayload.src_location + if: ctx?.network?.direction == "inbound" + ignore_missing: true + - rename: + field: json.jsonPayload.connection.protocol + target_field: network.iana_number + ignore_missing: true + - convert: + field: network.iana_number + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - rename: + field: json.jsonPayload.connection.dest_ip + target_field: destination.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.dest_port + target_field: destination.port + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_ip + target_field: source.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_port + target_field: source.port + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance.vm_name + target_field: source.domain + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance.vm_name + target_field: destination.domain + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.continent + target_field: destination.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.country + target_field: destination.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.region + target_field: destination.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.city + target_field: destination.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.continent + target_field: source.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.country + target_field: source.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.region + target_field: source.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.city + target_field: source.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance + target_field: gcp.destination.instance + ignore_missing: true + - rename: + field: json.jsonPayload.dest_vpc + target_field: gcp.destination.vpc + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance + target_field: gcp.source.instance + ignore_missing: true + - rename: + field: json.jsonPayload.src_vpc + target_field: gcp.source.vpc + ignore_missing: true + - rename: + field: json.jsonPayload.rule_details.reference + target_field: rule.name + ignore_missing: true + - set: + field: source.ip + value: "{{source.address}}" + if: ctx?.source?.address != null + ignore_failure: true + - set: + field: destination.ip + value: "{{destination.address}}" + if: ctx?.destination?.address != null + ignore_failure: true + - convert: + field: gcp.source.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.source.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.network?.direction == "outbound" + - convert: + field: gcp.destination.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.network?.direction == "inbound" + - convert: + field: gcp.destination.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.network?.direction == "inbound" + - set: + field: network.direction + value: internal + if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance + - set: + field: network.type + value: ipv4 + if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") + - set: + field: network.type + value: ipv6 + if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") + - rename: + field: json.jsonPayload.rule_details + target_field: gcp.firewall.rule_details + ignore_missing: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + - remove: + field: + - gcp.firewall.connection + - gcp.firewall.dest_location + - gcp.firewall.disposition + - gcp.firewall.src_location + - json + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.13.0/data_stream/firewall/fields/agent.yml b/packages/gcp/2.13.0/data_stream/firewall/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/2.13.0/data_stream/firewall/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/firewall/fields/base-fields.yml new file mode 100755 index 0000000000..93e2a6ab3b --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.firewall diff --git a/packages/gcp/2.13.0/data_stream/firewall/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/firewall/fields/ecs.yml new file mode 100755 index 0000000000..9723061204 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/fields/ecs.yml @@ -0,0 +1,243 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/firewall/fields/fields.yml b/packages/gcp/2.13.0/data_stream/firewall/fields/fields.yml new file mode 100755 index 0000000000..98681562b2 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/fields/fields.yml @@ -0,0 +1,44 @@ +- name: gcp.firewall + type: group + fields: + - name: rule_details + type: group + fields: + - name: priority + type: long + description: The priority for the firewall rule. + - name: action + type: keyword + description: Action that the rule performs on match. + - name: direction + type: keyword + description: Direction of traffic that matches this rule. + - name: reference + type: keyword + description: Reference to the firewall rule. + - name: source_range + type: keyword + description: List of source ranges that the firewall rule applies to. + - name: destination_range + type: keyword + description: List of destination ranges that the firewall applies to. + - name: source_tag + type: keyword + description: | + List of all the source tags that the firewall rule applies to. + - name: target_tag + type: keyword + description: | + List of all the target tags that the firewall rule applies to. + - name: ip_port_info + type: array + description: | + List of ip protocols and applicable port ranges for rules. + - name: source_service_account + type: keyword + description: | + List of all the source service accounts that the firewall rule applies to. + - name: target_service_account + type: keyword + description: | + List of all the target service accounts that the firewall rule applies to. diff --git a/packages/gcp/2.13.0/data_stream/firewall/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/firewall/fields/package-fields.yml new file mode 100755 index 0000000000..88482fd9c1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/fields/package-fields.yml @@ -0,0 +1,63 @@ +- name: gcp + type: group + fields: + - name: destination.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: destination.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. + - name: source.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: source.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.13.0/data_stream/firewall/manifest.yml b/packages/gcp/2.13.0/data_stream/firewall/manifest.yml new file mode 100755 index 0000000000..0bc29d382e --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/manifest.yml @@ -0,0 +1,65 @@ +type: logs +title: Google Cloud Platform (GCP) firewall logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-firewall + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-firewall + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: alternative_host + type: text + title: Alternative host + multi: false + required: false + show_user: false + description: "Overrides the default Pub/Sub service address and disables TLS. For testing." + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-firewall + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input diff --git a/packages/gcp/2.13.0/data_stream/firewall/sample_event.json b/packages/gcp/2.13.0/data_stream/firewall/sample_event.json new file mode 100755 index 0000000000..b2ce153fb8 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/firewall/sample_event.json @@ -0,0 +1,119 @@ +{ + "@timestamp": "2019-10-30T13:52:42.191Z", + "agent": { + "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "test-beats" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.42.0.2", + "domain": "test-windows", + "ip": "10.42.0.2", + "port": 3389 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": "network", + "created": "2022-06-28T02:47:26.097Z", + "dataset": "gcp.firewall", + "id": "1f21ciqfpfssuo", + "ingested": "2022-06-28T02:47:27Z", + "kind": "event", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "test-beats", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "test-beats", + "subnetwork_name": "windows-isolated", + "vpc_name": "windows-isolated" + } + }, + "firewall": { + "rule_details": { + "action": "ALLOW", + "direction": "INGRESS", + "ip_port_info": [ + { + "ip_protocol": "TCP", + "port_range": [ + "3389" + ] + } + ], + "priority": 1000, + "source_range": [ + "0.0.0.0/0" + ], + "target_tag": [ + "allow-rdp" + ] + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" + }, + "network": { + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", + "direction": "inbound", + "iana_number": "6", + "name": "windows-isolated", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.2.126", + "10.42.0.2" + ] + }, + "rule": { + "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" + }, + "source": { + "address": "192.168.2.126", + "geo": { + "continent_name": "Asia", + "country_name": "omn" + }, + "ip": "192.168.2.126", + "port": 64853 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ] +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/gke/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/gke/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..0046ac8843 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/agent/stream/stream.yml.hbs @@ -0,0 +1,60 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: gke + service_metric_prefix: kubernetes.io/ + metric_types: + - "container/cpu/core_usage_time" + - "container/cpu/limit_cores" + - "container/cpu/limit_utilization" + - "container/cpu/request_cores" + - "container/cpu/request_utilization" + - "container/ephemeral_storage/limit_bytes" + - "container/ephemeral_storage/request_bytes" + - "container/ephemeral_storage/used_bytes" + - "container/memory/limit_bytes" + - "container/memory/limit_utilization" + - "container/memory/page_fault_count" + - "container/memory/request_bytes" + - "container/memory/request_utilization" + - "container/memory/used_bytes" + - "container/restart_count" + - "container/uptime" + - "node/cpu/allocatable_cores" + - "node/cpu/allocatable_utilization" + - "node/cpu/core_usage_time" + - "node/cpu/total_cores" + - "node/ephemeral_storage/allocatable_bytes" + - "node/ephemeral_storage/inodes_free" + - "node/ephemeral_storage/inodes_total" + - "node/ephemeral_storage/total_bytes" + - "node/ephemeral_storage/used_bytes" + - "node/memory/allocatable_bytes" + - "node/memory/allocatable_utilization" + - "node/memory/total_bytes" + - "node/memory/used_bytes" + - "node/network/received_bytes_count" + - "node/network/sent_bytes_count" + - "node/pid_limit" + - "node/pid_used" + - "node_daemon/cpu/core_usage_time" + - "node_daemon/memory/used_bytes" + - "pod/network/received_bytes_count" + - "pod/network/sent_bytes_count" + - "pod/volume/total_bytes" + - "pod/volume/used_bytes" + - "pod/volume/utilization" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/gke/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/gke/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..b97789bfa7 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,171 @@ +--- +description: Pipeline for parsing GCP GKE metrics. +processors: + - rename: + field: gcp.metrics.container.cpu.core_usage_time.sec + target_field: gcp.gke.container.cpu.core_usage_time.sec + ignore_missing: true + - rename: + field: gcp.metrics.container.cpu.limit_cores.value + target_field: gcp.gke.container.cpu.limit_cores.value + ignore_missing: true + - rename: + field: gcp.metrics.container.cpu.limit_utilization.pct + target_field: gcp.gke.container.cpu.limit_utilization.pct + ignore_missing: true + - rename: + field: gcp.metrics.container.cpu.request_cores.value + target_field: gcp.gke.container.cpu.request_cores.value + ignore_missing: true + - rename: + field: gcp.metrics.container.cpu.request_utilization.pct + target_field: gcp.gke.container.cpu.request_utilization.pct + ignore_missing: true + - rename: + field: gcp.metrics.container.ephemeral_storage.limit.bytes + target_field: gcp.gke.container.ephemeral_storage.limit.bytes + ignore_missing: true + - rename: + field: gcp.metrics.container.ephemeral_storage.request.bytes + target_field: gcp.gke.container.ephemeral_storage.request.bytes + ignore_missing: true + - rename: + field: gcp.metrics.container.ephemeral_storage.used.bytes + target_field: gcp.gke.container.ephemeral_storage.used.bytes + ignore_missing: true + - rename: + field: gcp.metrics.container.memory.limit.bytes + target_field: gcp.gke.container.memory.limit.bytes + ignore_missing: true + - rename: + field: gcp.metrics.container.memory.limit_utilization.pct + target_field: gcp.gke.container.memory.limit_utilization.pct + ignore_missing: true + - rename: + field: gcp.metrics.container.memory.page_fault.count + target_field: gcp.gke.container.memory.page_fault.count + ignore_missing: true + - rename: + field: gcp.metrics.container.memory.request.bytes + target_field: gcp.gke.container.memory.request.bytes + ignore_missing: true + - rename: + field: gcp.metrics.container.memory.request_utilization.pct + target_field: gcp.gke.container.memory.request_utilization.pct + ignore_missing: true + - rename: + field: gcp.metrics.container.memory.used.bytes + target_field: gcp.gke.container.memory.used.bytes + ignore_missing: true + - rename: + field: gcp.metrics.container.restart.count + target_field: gcp.gke.container.restart.count + ignore_missing: true + - rename: + field: gcp.metrics.container.uptime.sec + target_field: gcp.gke.container.uptime.sec + ignore_missing: true + - rename: + field: gcp.metrics.node.cpu.allocatable_cores.value + target_field: gcp.gke.node.cpu.allocatable_cores.value + ignore_missing: true + - rename: + field: gcp.metrics.node.cpu.allocatable_utilization.pct + target_field: gcp.gke.node.cpu.allocatable_utilization.pct + ignore_missing: true + - rename: + field: gcp.metrics.node.cpu.core_usage_time.sec + target_field: gcp.gke.node.cpu.core_usage_time.sec + ignore_missing: true + - rename: + field: gcp.metrics.node.cpu.total_cores.value + target_field: gcp.gke.node.cpu.total_cores.value + ignore_missing: true + - rename: + field: gcp.metrics.node.ephemeral_storage.allocatable.bytes + target_field: gcp.gke.node.ephemeral_storage.allocatable.bytes + ignore_missing: true + - rename: + field: gcp.metrics.node.ephemeral_storage.inodes_free.value + target_field: gcp.gke.node.ephemeral_storage.inodes_free.value + ignore_missing: true + - rename: + field: gcp.metrics.node.ephemeral_storage.inodes_total.value + target_field: gcp.gke.node.ephemeral_storage.inodes_total.value + ignore_missing: true + - rename: + field: gcp.metrics.node.ephemeral_storage.total.bytes + target_field: gcp.gke.node.ephemeral_storage.total.bytes + ignore_missing: true + - rename: + field: gcp.metrics.node.ephemeral_storage.used.bytes + target_field: gcp.gke.node.ephemeral_storage.used.bytes + ignore_missing: true + - rename: + field: gcp.metrics.node.memory.allocatable.bytes + target_field: gcp.gke.node.memory.allocatable.bytes + ignore_missing: true + - rename: + field: gcp.metrics.node.memory.allocatable_utilization.pct + target_field: gcp.gke.node.memory.allocatable_utilization.pct + ignore_missing: true + - rename: + field: gcp.metrics.node.memory.total.bytes + target_field: gcp.gke.node.memory.total.bytes + ignore_missing: true + - rename: + field: gcp.metrics.node.memory.used.bytes + target_field: gcp.gke.node.memory.used.bytes + ignore_missing: true + - rename: + field: gcp.metrics.node.network.received_bytes.count + target_field: gcp.gke.node.network.received_bytes.count + ignore_missing: true + - rename: + field: gcp.metrics.node.network.sent_bytes.count + target_field: gcp.gke.node.network.sent_bytes.count + ignore_missing: true + - rename: + field: gcp.metrics.node.pid_limit.value + target_field: gcp.gke.node.pid_limit.value + ignore_missing: true + - rename: + field: gcp.metrics.node.pid_used.value + target_field: gcp.gke.node.pid_used.value + ignore_missing: true + - rename: + field: gcp.metrics.node_daemon.cpu.core_usage_time.sec + target_field: gcp.gke.node_daemon.cpu.core_usage_time.sec + ignore_missing: true + - rename: + field: gcp.metrics.node_daemon.memory.used.bytes + target_field: gcp.gke.node_daemon.memory.used.bytes + ignore_missing: true + - rename: + field: gcp.metrics.pod.network.received.bytes + target_field: gcp.gke.pod.network.received.bytes + ignore_missing: true + - rename: + field: gcp.metrics.pod.network.sent.bytes + target_field: gcp.gke.pod.network.sent.bytes + ignore_missing: true + - rename: + field: gcp.metrics.pod.volume.total.bytes + target_field: gcp.gke.pod.volume.total.bytes + ignore_missing: true + - rename: + field: gcp.metrics.pod.volume.used.bytes + target_field: gcp.gke.pod.volume.used.bytes + ignore_missing: true + - rename: + field: gcp.metrics.pod.volume.utilization.pct + target_field: gcp.gke.pod.volume.utilization.pct + ignore_missing: true + - remove: + field: + - gcp.metrics + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/gke/fields/agent.yml b/packages/gcp/2.13.0/data_stream/gke/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/gke/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/gke/fields/base-fields.yml new file mode 100755 index 0000000000..485fc8f2d6 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.gke diff --git a/packages/gcp/2.13.0/data_stream/gke/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/gke/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/gke/fields/fields.yml b/packages/gcp/2.13.0/data_stream/gke/fields/fields.yml new file mode 100755 index 0000000000..ccef93d523 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/fields/fields.yml @@ -0,0 +1,124 @@ +- name: gcp.gke + description: Google Cloud GKE metrics + type: group + fields: + - name: container.cpu.core_usage_time.sec + type: double + description: Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. + - name: container.cpu.limit_cores.value + type: double + description: CPU cores limit of the container. Sampled every 60 seconds. + - name: container.cpu.limit_utilization.pct + type: double + description: The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. + - name: container.cpu.request_cores.value + type: double + description: Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. + - name: container.cpu.request_utilization.pct + type: double + description: The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. + - name: container.ephemeral_storage.limit.bytes + type: long + description: Local ephemeral storage limit in bytes. Sampled every 60 seconds. + - name: container.ephemeral_storage.request.bytes + type: long + description: Local ephemeral storage request in bytes. Sampled every 60 seconds. + - name: container.ephemeral_storage.used.bytes + type: long + description: Local ephemeral storage usage in bytes. Sampled every 60 seconds. + - name: container.memory.limit.bytes + type: long + description: Memory limit of the container in bytes. Sampled every 60 seconds. + - name: container.memory.limit_utilization.pct + type: double + description: The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. + - name: container.memory.page_fault.count + type: long + description: Number of page faults, broken down by type, major and minor. + - name: container.memory.request.bytes + type: long + description: Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. + - name: container.memory.request_utilization.pct + type: double + description: The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. + - name: container.memory.used.bytes + type: long + description: Memory usage in bytes. Sampled every 60 seconds. + - name: container.restart.count + type: long + description: Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. + - name: container.uptime.sec + type: double + description: Time in seconds that the container has been running. Sampled every 60 seconds. + - name: node.cpu.allocatable_cores.value + type: double + description: Number of allocatable CPU cores on the node. Sampled every 60 seconds. + - name: node.cpu.allocatable_utilization.pct + type: double + description: The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. + - name: node.cpu.core_usage_time.sec + type: double + description: Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. + - name: node.cpu.total_cores.value + type: double + description: Total number of CPU cores on the node. Sampled every 60 seconds. + - name: node.ephemeral_storage.allocatable.bytes + type: long + description: Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. + - name: node.ephemeral_storage.inodes_free.value + type: long + description: Free number of inodes on local ephemeral storage. Sampled every 60 seconds. + - name: node.ephemeral_storage.inodes_total.value + type: long + description: Total number of inodes on local ephemeral storage. Sampled every 60 seconds. + - name: node.ephemeral_storage.total.bytes + type: long + description: Total ephemeral storage bytes on the node. Sampled every 60 seconds. + - name: node.ephemeral_storage.used.bytes + type: long + description: Local ephemeral storage bytes used by the node. Sampled every 60 seconds. + - name: node.memory.allocatable.bytes + type: long + description: Cumulative memory bytes used by the node. Sampled every 60 seconds. + - name: node.memory.allocatable_utilization.pct + type: double + description: The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. + - name: node.memory.total.bytes + type: long + description: Number of bytes of memory allocatable on the node. Sampled every 60 seconds. + - name: node.memory.used.bytes + type: long + description: Cumulative memory bytes used by the node. Sampled every 60 seconds. + - name: node.network.received_bytes.count + type: long + description: Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. + - name: node.network.sent_bytes.count + type: long + description: Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. + - name: node.pid_limit.value + type: long + description: The max PID of OS on the node. Sampled every 60 seconds. + - name: node.pid_used.value + type: long + description: The number of running process in the OS on the node. Sampled every 60 seconds. + - name: node_daemon.cpu.core_usage_time.sec + type: double + description: Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. + - name: node_daemon.memory.used.bytes + type: long + description: Memory usage by the system daemon in bytes. Sampled every 60 seconds. + - name: pod.network.received.bytes + type: long + description: Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. + - name: pod.network.sent.bytes + type: long + description: Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. + - name: pod.volume.total.bytes + type: long + description: Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. + - name: pod.volume.used.bytes + type: long + description: Number of disk bytes used by the pod. Sampled every 60 seconds. + - name: pod.volume.utilization.pct + type: double + description: The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. diff --git a/packages/gcp/2.13.0/data_stream/gke/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/gke/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/gke/manifest.yml b/packages/gcp/2.13.0/data_stream/gke/manifest.yml new file mode 100755 index 0000000000..971b64d46b --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP GKE Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP GKE Metrics + description: Collect GCP GKE Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/gke/sample_event.json b/packages/gcp/2.13.0/data_stream/gke/sample_event.json new file mode 100755 index 0000000000..d4edec9bb4 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/gke/sample_event.json @@ -0,0 +1,51 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.gke", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "gke": { + "container": { + "cpu": { + "core_usage_time": { + "sec": 15 + } + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "gke", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..eb4ae24a86 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,215 @@ +--- +description: Pipeline for Google Cloud DNS logs + +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - set: + field: event.kind + value: event + - set: + field: event.category + value: network + - set: + field: event.type + value: info + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - date: + field: json.receiveTimestamp + target_field: event.created + timezone: UTC + formats: + - ISO8601 + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - convert: + field: json.resource.labels.project_id + target_field: cloud.project.id + type: string + ignore_failure: true + - convert: + field: json.resource.labels.zone + target_field: cloud.region + type: string + ignore_failure: true + - grok: + field: json.httpRequest.remoteIp + ignore_missing: true + patterns: + - ^%{IP:source.address}(:%{POSINT:source.port:long})?$ + - convert: + field: source.address + target_field: source.ip + type: ip + ignore_failure: true + - geoip: + field: source.ip + target_field: source.geo + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: json.httpRequest.requestMethod + target_field: http.request.method + ignore_missing: true + - convert: + field: json.httpRequest.requestSize + target_field: http.request.bytes + type: long + ignore_missing: true + - convert: + field: json.httpRequest.responseSize + target_field: http.response.bytes + type: long + ignore_missing: true + - rename: + field: json.httpRequest.status + target_field: http.response.status_code + ignore_missing: true + - dissect: + field: json.httpRequest.protocol + pattern: "%{network.protocol}/%{http.version}" + ignore_failure: true + if: ctx.json?.httpRequest?.protocol != null + - lowercase: + field: network.protocol + ignore_missing: true + - user_agent: + field: json.httpRequest.userAgent + target_field: user_agent + ignore_missing: true + - uri_parts: + field: json.httpRequest.requestUrl + target_field: url + if: ctx.json?.httpRequest?.requestUrl != null + - rename: + field: json.httpRequest.referer + target_field: http.request.referrer + ignore_missing: true + - grok: + field: json.httpRequest.serverIp + ignore_missing: true + patterns: + - ^%{IP:destination.nat.ip}(:%{POSINT:destination.nat.port:long})?$ + - set: + field: destination.address + copy_from: url.domain + ignore_empty_value: true + ignore_failure: true + - set: + field: destination.port + copy_from: url.port + ignore_empty_value: true + ignore_failure: true + - convert: + field: destination.address + target_field: destination.ip + type: ip + ignore_missing: true + on_failure: + - rename: + field: url.domain + target_field: destination.domain + ignore_missing: true + ignore_failure: true + - rename: + field: json.severity + target_field: log.level + ignore_missing: true + - rename: + field: json.jsonPayload.cacheId + target_field: gcp.load_balancer.cache_id + ignore_missing: true + - rename: + field: json.jsonPayload.statusDetails + target_field: gcp.load_balancer.status_details + ignore_missing: true + - rename: + field: json.httpRequest.cacheHit + target_field: gcp.load_balancer.cache_hit + ignore_missing: true + - rename: + field: json.httpRequest.cacheLookup + target_field: gcp.load_balancer.cache_lookup + ignore_missing: true + - rename: + field: json.resource.labels.url_map_name + target_field: gcp.load_balancer.url_map_name + ignore_missing: true + - rename: + field: json.resource.labels.forwarding_rule_name + target_field: gcp.load_balancer.forwarding_rule_name + ignore_missing: true + - rename: + field: json.resource.labels.target_proxy_name + target_field: gcp.load_balancer.target_proxy_name + ignore_missing: true + - rename: + field: json.resource.labels.backend_service_name + target_field: gcp.load_balancer.backend_service_name + ignore_missing: true + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null + - append: + field: related.ip + value: "{{destination.nat.ip}}" + allow_duplicates: false + if: ctx?.destination?.nat?.ip != null + - append: + field: related.hosts + value: "{{destination.domain}}" + allow_duplicates: false + if: ctx?.destination?.domain != null + - remove: + field: + - json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/agent.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/agent.yml new file mode 100755 index 0000000000..e313ec8287 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/agent.yml @@ -0,0 +1,204 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/base-fields.yml new file mode 100755 index 0000000000..5d5236cac3 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.loadbalancing_logs diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/ecs.yml new file mode 100755 index 0000000000..fb2886752f --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/ecs.yml @@ -0,0 +1,196 @@ +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: HTTP version. + name: http.version + type: keyword +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Port of the source. + name: source.port + type: long +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: Port of the request, such as 443. + name: url.port + type: long +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: Port of the destination. + name: destination.port + type: long +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/fields.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/fields.yml new file mode 100755 index 0000000000..5c4162eb07 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/fields/fields.yml @@ -0,0 +1,35 @@ +- name: gcp.load_balancer + type: group + fields: + - name: backend_service_name + type: keyword + description: | + The backend service to which the load balancer is sending traffic + - name: cache_hit + type: boolean + description: | + Whether or not an entity was served from cache (with or without validation). + - name: cache_id + type: keyword + description: >- + Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). + - name: cache_lookup + type: boolean + description: | + Whether or not a cache lookup was attempted. + - name: forwarding_rule_name + type: keyword + description: | + The name of the forwarding rule + - name: status_details + type: keyword + description: >- + Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. + - name: target_proxy_name + type: keyword + description: | + The target proxy name + - name: url_map_name + type: keyword + description: | + The URL map name diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/manifest.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/manifest.yml new file mode 100755 index 0000000000..d570564343 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/manifest.yml @@ -0,0 +1,65 @@ +type: logs +title: Google Cloud Platform (GCP) Load Balancing logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-load_balancer + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-load_balancer + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: alternative_host + type: text + title: Alternative host + multi: false + required: false + show_user: false + description: "Overrides the default Pub/Sub service address and disables TLS. For testing." + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-loadbalancing_logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) Load Balancing logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) Load Balancing logs using gcp-pubsub input diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_logs/sample_event.json b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/sample_event.json new file mode 100755 index 0000000000..2f777d5650 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_logs/sample_event.json @@ -0,0 +1,136 @@ +{ + "@timestamp": "2020-06-08T23:41:30.078Z", + "agent": { + "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "project": { + "id": "PROJECT_ID" + }, + "region": "global" + }, + "data_stream": { + "dataset": "gcp.loadbalancing_logs", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "81.2.69.193", + "ip": "81.2.69.193", + "nat": { + "ip": "10.5.3.1", + "port": 9090 + }, + "port": 8080 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "category": "network", + "created": "2020-06-08T23:41:30.588Z", + "id": "1oek5rg3l3fxj7", + "kind": "event", + "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", + "type": "info" + }, + "gcp": { + "load_balancer": { + "backend_service_name": "", + "cache_hit": true, + "cache_id": "SFO-fbae48ad", + "cache_lookup": true, + "forwarding_rule_name": "FORWARDING_RULE_NAME", + "status_details": "response_from_cache", + "target_proxy_name": "TARGET_PROXY_NAME", + "url_map_name": "URL_MAP_NAME" + } + }, + "http": { + "request": { + "bytes": 577, + "method": "GET", + "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" + }, + "response": { + "bytes": 157, + "status_code": 304 + }, + "version": "2.0" + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/PROJECT_ID/logs/requests" + }, + "network": { + "protocol": "http" + }, + "related": { + "ip": [ + "89.160.20.156", + "81.2.69.193", + "10.5.3.1" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 9989 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ], + "url": { + "domain": "81.2.69.193", + "extension": "jpg", + "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", + "path": "/static/us/three-cats.jpg", + "port": 8080, + "scheme": "http" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", + "os": { + "full": "Mac OS X 10.14.6", + "name": "Mac OS X", + "version": "10.14.6" + }, + "version": "83.0.4103.61" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..27124802fb --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/agent/stream/stream.yml.hbs @@ -0,0 +1,48 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: loadbalancing + metric_types: + - "https/backend_request_bytes_count" + - "https/backend_request_count" + - "https/backend_response_bytes_count" + - "https/request_bytes_count" + - "https/request_count" + - "https/response_bytes_count" + - "l3/external/egress_bytes_count" + - "l3/external/egress_packets_count" + - "l3/external/ingress_bytes_count" + - "l3/external/ingress_packets_count" + - "l3/internal/egress_bytes_count" + - "l3/internal/egress_packets_count" + - "l3/internal/ingress_bytes_count" + - "l3/internal/ingress_packets_count" + - "tcp_ssl_proxy/closed_connections" + - "tcp_ssl_proxy/egress_bytes_count" + - "tcp_ssl_proxy/ingress_bytes_count" + - "tcp_ssl_proxy/new_connections" + - "tcp_ssl_proxy/open_connections" + - "https/backend_latencies" + - "https/external/regional/backend_latencies" + - "https/external/regional/total_latencies" + - "https/frontend_tcp_rtt" + - "https/internal/backend_latencies" + - "https/internal/total_latencies" + - "https/total_latencies" + - "l3/external/rtt_latencies" + - "l3/internal/rtt_latencies" + - "tcp_ssl_proxy/frontend_tcp_rtt" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..81bd6368c6 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,127 @@ +--- +description: Pipeline for parsing GCP Loadbalancing metrics. +processors: + - rename: + field: gcp.metrics.https.backend_request.bytes + target_field: gcp.loadbalancing_metrics.https.backend_request.bytes + ignore_missing: true + - rename: + field: gcp.metrics.https.backend_request.count + target_field: gcp.loadbalancing_metrics.https.backend_request.count + ignore_missing: true + - rename: + field: gcp.metrics.https.backend_response.bytes + target_field: gcp.loadbalancing_metrics.https.backend_response.bytes + ignore_missing: true + - rename: + field: gcp.metrics.https.request.bytes + target_field: gcp.loadbalancing_metrics.https.request.bytes + ignore_missing: true + - rename: + field: gcp.metrics.https.request.count + target_field: gcp.loadbalancing_metrics.https.request.count + ignore_missing: true + - rename: + field: gcp.metrics.https.response.bytes + target_field: gcp.loadbalancing_metrics.https.response.bytes + ignore_missing: true + - rename: + field: gcp.metrics.l3.external.egress.bytes + target_field: gcp.loadbalancing_metrics.l3.external.egress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.l3.external.egress_packets.count + target_field: gcp.loadbalancing_metrics.l3.external.egress_packets.count + ignore_missing: true + - rename: + field: gcp.metrics.l3.external.ingress.bytes + target_field: gcp.loadbalancing_metrics.l3.external.ingress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.l3.external.ingress_packets.count + target_field: gcp.loadbalancing_metrics.l3.external.ingress_packets.count + ignore_missing: true + - rename: + field: gcp.metrics.l3.internal.egress.bytes + target_field: gcp.loadbalancing_metrics.l3.internal.egress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.l3.internal.egress_packets.count + target_field: gcp.loadbalancing_metrics.l3.internal.egress_packets.count + ignore_missing: true + - rename: + field: gcp.metrics.l3.internal.ingress.bytes + target_field: gcp.loadbalancing_metrics.l3.internal.ingress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.l3.internal.ingress_packets.count + target_field: gcp.loadbalancing_metrics.l3.internal.ingress_packets.count + ignore_missing: true + - rename: + field: gcp.metrics.tcp_ssl_proxy.closed_connections.value + target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.closed_connections.value + ignore_missing: true + - rename: + field: gcp.metrics.tcp_ssl_proxy.egress.bytes + target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.egress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.tcp_ssl_proxy.ingress.bytes + target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.ingress.bytes + ignore_missing: true + - rename: + field: gcp.metrics.tcp_ssl_proxy.new_connections.value + target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.new_connections.value + ignore_missing: true + - rename: + field: gcp.metrics.tcp_ssl_proxy.open_connections.value + target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.open_connections.value + ignore_missing: true + - rename: + field: gcp.metrics.https.backend_latencies.value + target_field: gcp.loadbalancing_metrics.https.backend_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.https.external.regional.backend_latencies.value + target_field: gcp.loadbalancing_metrics.https.external.regional.backend_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.https.external.regional.total_latencies.value + target_field: gcp.loadbalancing_metrics.https.external.regional.total_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.https.frontend_tcp_rtt.value + target_field: gcp.loadbalancing_metrics.https.frontend_tcp_rtt.value + ignore_missing: true + - rename: + field: gcp.metrics.https.internal.backend_latencies.value + target_field: gcp.loadbalancing_metrics.https.internal.backend_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.https.internal.total_latencies.value + target_field: gcp.loadbalancing_metrics.https.internal.total_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.https.total_latencies.value + target_field: gcp.loadbalancing_metrics.https.total_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.l3.external.rtt_latencies.value + target_field: gcp.loadbalancing_metrics.l3.external.rtt_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.l3.internal.rtt_latencies.value + target_field: gcp.loadbalancing_metrics.l3.internal.rtt_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.tcp_ssl_proxy.frontend_tcp_rtt.value + target_field: gcp.loadbalancing_metrics.tcp_ssl_proxy.frontend_tcp_rtt.value + ignore_missing: true + - remove: + field: + - gcp.metrics + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/agent.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/base-fields.yml new file mode 100755 index 0000000000..9529fa58a5 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.loadbalancing_metrics diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/fields.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/fields.yml new file mode 100755 index 0000000000..2e8929f684 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/fields.yml @@ -0,0 +1,101 @@ +- name: gcp.loadbalancing + description: Google Cloud Load Balancing metrics + type: group + fields: + - name: https.backend_request.bytes + type: long + description: The number of bytes sent as requests from HTTP/S load balancer to backends. + - name: https.backend_request.count + type: long + description: The number of requests served by backends of HTTP/S load balancer. + - name: https.backend_response.bytes + type: long + description: The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. + - name: https.request.bytes + type: long + description: The number of bytes sent as requests from clients to HTTP/S load balancer. + - name: https.request.count + type: long + description: The number of requests served by HTTP/S load balancer. + - name: https.response.bytes + type: long + description: The number of bytes sent as responses from HTTP/S load balancer to clients. + - name: l3.external.egress.bytes + type: long + description: The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. + - name: l3.external.egress_packets.count + type: long + description: The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. + - name: l3.external.ingress.bytes + type: long + description: The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. + - name: l3.external.ingress_packets.count + type: long + description: The number of packets sent from client to external TCP/UDP network load balancer backend. + - name: l3.internal.egress.bytes + type: long + description: The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). + - name: l3.internal.egress_packets.count + type: long + description: The number of packets sent from ILB backend to client of the flow. + - name: l3.internal.ingress.bytes + type: long + description: The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). + - name: l3.internal.ingress_packets.count + type: long + description: The number of packets sent from client to ILB backend. + - name: tcp_ssl_proxy.closed_connections.value + type: long + description: Number of connections that were terminated over TCP/SSL proxy. + - name: tcp_ssl_proxy.egress.bytes + type: long + description: Number of bytes sent from VM to client using proxy. + - name: tcp_ssl_proxy.ingress.bytes + type: long + description: Number of bytes sent from client to VM using proxy. + - name: tcp_ssl_proxy.new_connections.value + type: long + description: Number of connections that were created over TCP/SSL proxy. + - name: tcp_ssl_proxy.open_connections.value + type: long + description: Current number of outstanding connections through the TCP/SSL proxy. + - name: https.backend_latencies.value + type: object + object_type: histogram + description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. + - name: https.external.regional.backend_latencies.value + type: object + object_type: histogram + description: A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. + - name: https.external.regional.total_latencies.value + type: object + object_type: histogram + description: A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. + - name: https.frontend_tcp_rtt.value + type: object + object_type: histogram + description: A distribution of the RTT measured for each connection between client and proxy. + - name: https.internal.backend_latencies.value + type: object + object_type: histogram + description: A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. + - name: https.internal.total_latencies.value + type: object + object_type: histogram + description: A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. + - name: https.total_latencies.value + type: object + object_type: histogram + description: A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. + - name: l3.external.rtt_latencies.value + type: object + object_type: histogram + description: A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. + - name: l3.internal.rtt_latencies.value + type: object + object_type: histogram + description: A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. + - name: tcp_ssl_proxy.frontend_tcp_rtt.value + type: object + object_type: histogram + description: A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/manifest.yml b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/manifest.yml new file mode 100755 index 0000000000..4e669823a3 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP Load Balancing Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Load Balancing Metrics + description: Collect GCP Load Balancing Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/sample_event.json b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/sample_event.json new file mode 100755 index 0000000000..a0e5d35b49 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/loadbalancing_metrics/sample_event.json @@ -0,0 +1,57 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-observability" + }, + "provider": "gcp", + "region": "us-central1", + "availability_zone": "us-central1-a" + }, + "event": { + "dataset": "gcp.loadbalancing_metrics", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "labels": { + "metrics": { + "client_network": "ocp-be-c5kjr-network", + "client_subnetwork": "ocp-be-c5kjr-worker-subnet", + "client_zone": "us-central1-a" + }, + "resource": { + "backend_name": "ocp-be-c5kjr-master-us-central1-a", + "backend_scope": "us-central1-a", + "backend_scope_type": "ZONE", + "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", + "backend_target_name": "ocp-be-c5kjr-api-internal", + "backend_target_type": "BACKEND_SERVICE", + "backend_type": "INSTANCE_GROUP", + "forwarding_rule_name": "ocp-be-c5kjr-api-internal", + "load_balancer_name": "ocp-be-c5kjr-api-internal", + "network_name": "ocp-be-c5kjr-network", + "region": "us-central1" + } + }, + "loadbalancing": { + "l3": { + "internal": { + "egress_packets": { + "count": 100 + }, + "egress": { + "bytes": 1247589 + } + } + } + } + }, + "metricset": { + "name": "loadbalancing", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/pubsub/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/pubsub/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..3444d1ca25 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/agent/stream/stream.yml.hbs @@ -0,0 +1,67 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: pubsub + metric_types: + - "snapshot/backlog_bytes" + - "snapshot/backlog_bytes_by_region" + - "snapshot/config_updates_count" + - "snapshot/num_messages" + - "snapshot/num_messages_by_region" + - "snapshot/oldest_message_age" + - "snapshot/oldest_message_age_by_region" + - "subscription/ack_message_count" + - "subscription/backlog_bytes" + - "subscription/byte_cost" + - "subscription/config_updates_count" + - "subscription/dead_letter_message_count" + - "subscription/mod_ack_deadline_message_count" + - "subscription/mod_ack_deadline_message_operation_count" + - "subscription/mod_ack_deadline_request_count" + - "subscription/num_outstanding_messages" + - "subscription/num_undelivered_messages" + - "subscription/oldest_retained_acked_message_age" + - "subscription/oldest_retained_acked_message_age_by_region" + - "subscription/oldest_unacked_message_age" + - "subscription/oldest_unacked_message_age_by_region" + - "subscription/pull_ack_message_operation_count" + - "subscription/pull_ack_request_count" + - "subscription/pull_message_operation_count" + - "subscription/pull_request_count" + - "subscription/push_request_count" + - "subscription/retained_acked_bytes" + - "subscription/retained_acked_bytes_by_region" + - "subscription/seek_request_count" + - "subscription/sent_message_count" + - "subscription/streaming_pull_ack_message_operation_count" + - "subscription/streaming_pull_ack_request_count" + - "subscription/streaming_pull_message_operation_count" + - "subscription/streaming_pull_mod_ack_deadline_message_operation_count" + - "subscription/streaming_pull_mod_ack_deadline_request_count" + - "subscription/streaming_pull_response_count" + - "subscription/unacked_bytes_by_region" + - "topic/byte_cost" + - "topic/config_updates_count" + - "topic/oldest_retained_acked_message_age_by_region" + - "topic/oldest_unacked_message_age_by_region" + - "topic/retained_acked_bytes_by_region" + - "topic/send_message_operation_count" + - "topic/send_request_count" + - "topic/unacked_bytes_by_region" + - "subscription/ack_latencies" + - "subscription/push_request_latencies" + - "topic/message_sizes" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..41c81b4d9b --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,207 @@ +--- +description: Pipeline for parsing GCP PubSub metrics. +processors: + - rename: + field: gcp.metrics.snapshot.backlog.bytes + target_field: gcp.pubsub.snapshot.backlog.bytes + ignore_missing: true + - rename: + field: gcp.metrics.snapshot.backlog_bytes_by_region.bytes + target_field: gcp.pubsub.snapshot.backlog_bytes_by_region.bytes + ignore_missing: true + - rename: + field: gcp.metrics.snapshot.config_updates.count + target_field: gcp.pubsub.snapshot.config_updates.count + ignore_missing: true + - rename: + field: gcp.metrics.snapshot.num_messages.value + target_field: gcp.pubsub.snapshot.num_messages.value + ignore_missing: true + - rename: + field: gcp.metrics.snapshot.num_messages_by_region.value + target_field: gcp.pubsub.snapshot.num_messages_by_region.value + ignore_missing: true + - rename: + field: gcp.metrics.snapshot.oldest_message_age.sec + target_field: gcp.pubsub.snapshot.oldest_message_age.sec + ignore_missing: true + - rename: + field: gcp.metrics.snapshot.oldest_message_age_by_region.sec + target_field: gcp.pubsub.snapshot.oldest_message_age_by_region.sec + ignore_missing: true + - rename: + field: gcp.metrics.subscription.ack_message.count + target_field: gcp.pubsub.subscription.ack_message.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.backlog.bytes + target_field: gcp.pubsub.subscription.backlog.bytes + ignore_missing: true + - rename: + field: gcp.metrics.subscription.byte_cost.bytes + target_field: gcp.pubsub.subscription.byte_cost.bytes + ignore_missing: true + - rename: + field: gcp.metrics.subscription.config_updates.count + target_field: gcp.pubsub.subscription.config_updates.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.dead_letter_message.count + target_field: gcp.pubsub.subscription.dead_letter_message.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.mod_ack_deadline_message.count + target_field: gcp.pubsub.subscription.mod_ack_deadline_message.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.mod_ack_deadline_message_operation.count + target_field: gcp.pubsub.subscription.mod_ack_deadline_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.mod_ack_deadline_request.count + target_field: gcp.pubsub.subscription.mod_ack_deadline_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.num_outstanding_messages.value + target_field: gcp.pubsub.subscription.num_outstanding_messages.value + ignore_missing: true + - rename: + field: gcp.metrics.subscription.num_undelivered_messages.value + target_field: gcp.pubsub.subscription.num_undelivered_messages.value + ignore_missing: true + - rename: + field: gcp.metrics.subscription.oldest_retained_acked_message_age.sec + target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age.sec + ignore_missing: true + - rename: + field: gcp.metrics.subscription.oldest_retained_acked_message_age_by_region.value + target_field: gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value + ignore_missing: true + - rename: + field: gcp.metrics.subscription.oldest_unacked_message_age.sec + target_field: gcp.pubsub.subscription.oldest_unacked_message_age.sec + ignore_missing: true + - rename: + field: gcp.metrics.subscription.oldest_unacked_message_age_by_region.value + target_field: gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value + ignore_missing: true + - rename: + field: gcp.metrics.subscription.pull_ack_message_operation.count + target_field: gcp.pubsub.subscription.pull_ack_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.pull_ack_request.count + target_field: gcp.pubsub.subscription.pull_ack_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.pull_message_operation.count + target_field: gcp.pubsub.subscription.pull_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.pull_request.count + target_field: gcp.pubsub.subscription.pull_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.push_request.count + target_field: gcp.pubsub.subscription.push_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.retained_acked.bytes + target_field: gcp.pubsub.subscription.retained_acked.bytes + ignore_missing: true + - rename: + field: gcp.metrics.subscription.retained_acked_bytes_by_region.bytes + target_field: gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes + ignore_missing: true + - rename: + field: gcp.metrics.subscription.seek_request.count + target_field: gcp.pubsub.subscription.seek_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.sent_message.count + target_field: gcp.pubsub.subscription.sent_message.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.streaming_pull_ack_message_operation.count + target_field: gcp.pubsub.subscription.streaming_pull_ack_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.streaming_pull_ack_request.count + target_field: gcp.pubsub.subscription.streaming_pull_ack_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.streaming_pull_message_operation.count + target_field: gcp.pubsub.subscription.streaming_pull_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_message_operation.count + target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.streaming_pull_mod_ack_deadline_request.count + target_field: gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.streaming_pull_response.count + target_field: gcp.pubsub.subscription.streaming_pull_response.count + ignore_missing: true + - rename: + field: gcp.metrics.subscription.unacked_bytes_by_region.bytes + target_field: gcp.pubsub.subscription.unacked_bytes_by_region.bytes + ignore_missing: true + - rename: + field: gcp.metrics.topic.byte_cost.bytes + target_field: gcp.pubsub.topic.byte_cost.bytes + ignore_missing: true + - rename: + field: gcp.metrics.topic.config_updates.count + target_field: gcp.pubsub.topic.config_updates.count + ignore_missing: true + - rename: + field: gcp.metrics.topic.message_sizes.bytes + target_field: gcp.pubsub.topic.message_sizes.bytes + ignore_missing: true + - rename: + field: gcp.metrics.topic.oldest_retained_acked_message_age_by_region.value + target_field: gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value + ignore_missing: true + - rename: + field: gcp.metrics.topic.oldest_unacked_message_age_by_region.value + target_field: gcp.pubsub.topic.oldest_unacked_message_age_by_region.value + ignore_missing: true + - rename: + field: gcp.metrics.topic.retained_acked_bytes_by_region.bytes + target_field: gcp.pubsub.topic.retained_acked_bytes_by_region.bytes + ignore_missing: true + - rename: + field: gcp.metrics.topic.send_message_operation.count + target_field: gcp.pubsub.topic.send_message_operation.count + ignore_missing: true + - rename: + field: gcp.metrics.topic.send_request.count + target_field: gcp.pubsub.topic.send_request.count + ignore_missing: true + - rename: + field: gcp.metrics.topic.streaming_pull_response.count + target_field: gcp.pubsub.topic.streaming_pull_response.count + ignore_missing: true + - rename: + field: gcp.metrics.topic.unacked_bytes_by_region.bytes + target_field: gcp.pubsub.topic.unacked_bytes_by_region.bytes + ignore_missing: true + - rename: + field: gcp.metrics.subscription.ack_latencies.value + target_field: gcp.pubsub.subscription.ack_latencies.value + ignore_missing: true + - rename: + field: gcp.metrics.subscription.push_request_latencies.value + target_field: gcp.pubsub.subscription.push_request_latencies.value + ignore_missing: true + - remove: + field: + - gcp.metrics + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/pubsub/fields/agent.yml b/packages/gcp/2.13.0/data_stream/pubsub/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/pubsub/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/pubsub/fields/base-fields.yml new file mode 100755 index 0000000000..2ca07084fc --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.pubsub diff --git a/packages/gcp/2.13.0/data_stream/pubsub/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/pubsub/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/pubsub/fields/fields.yml b/packages/gcp/2.13.0/data_stream/pubsub/fields/fields.yml new file mode 100755 index 0000000000..18b09ae2c1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/fields/fields.yml @@ -0,0 +1,154 @@ +- name: gcp.pubsub + description: Google Cloud PubSub metrics + type: group + fields: + - name: snapshot.backlog.bytes + type: long + description: Total byte size of the messages retained in a snapshot. + - name: snapshot.backlog_bytes_by_region.bytes + type: long + description: Total byte size of the messages retained in a snapshot, broken down by Cloud region. + - name: snapshot.config_updates.count + type: long + description: Cumulative count of configuration changes, grouped by operation type and result. + - name: snapshot.num_messages.value + type: long + description: Number of messages retained in a snapshot. + - name: snapshot.num_messages_by_region.value + type: long + description: Number of messages retained in a snapshot, broken down by Cloud region. + - name: snapshot.oldest_message_age.sec + type: long + description: Age (in seconds) of the oldest message retained in a snapshot. + - name: snapshot.oldest_message_age_by_region.sec + type: long + description: Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. + - name: subscription.ack_message.count + type: long + description: Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. + - name: subscription.backlog.bytes + type: long + description: Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. + - name: subscription.byte_cost.bytes + type: long + description: Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. + - name: subscription.config_updates.count + type: long + description: Cumulative count of configuration changes for each subscription, grouped by operation type and result. + - name: subscription.dead_letter_message.count + type: long + description: Cumulative count of messages published to dead letter topic, grouped by result. + - name: subscription.mod_ack_deadline_message.count + type: long + description: Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. + - name: subscription.mod_ack_deadline_message_operation.count + type: long + description: Cumulative count of ModifyAckDeadline message operations, grouped by result. + - name: subscription.mod_ack_deadline_request.count + type: long + description: Cumulative count of ModifyAckDeadline requests, grouped by result. + - name: subscription.num_outstanding_messages.value + type: long + description: Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. + - name: subscription.num_undelivered_messages.value + type: long + description: Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. + - name: subscription.oldest_retained_acked_message_age.sec + type: long + description: Age (in seconds) of the oldest acknowledged message retained in a subscription. + - name: subscription.oldest_retained_acked_message_age_by_region.value + type: long + description: Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. + - name: subscription.oldest_unacked_message_age.sec + type: long + description: Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. + - name: subscription.oldest_unacked_message_age_by_region.value + type: long + description: Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. + - name: subscription.pull_ack_message_operation.count + type: long + description: Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. + - name: subscription.pull_ack_request.count + type: long + description: Cumulative count of acknowledge requests, grouped by result. + - name: subscription.pull_message_operation.count + type: long + description: Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. + - name: subscription.pull_request.count + type: long + description: Cumulative count of pull requests, grouped by result. + - name: subscription.push_request.count + type: long + description: Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. + - name: subscription.retained_acked.bytes + type: long + description: Total byte size of the acknowledged messages retained in a subscription. + - name: subscription.retained_acked_bytes_by_region.bytes + type: long + description: Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. + - name: subscription.seek_request.count + type: long + description: Cumulative count of seek attempts, grouped by result. + - name: subscription.sent_message.count + type: long + description: Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. + - name: subscription.streaming_pull_ack_message_operation.count + type: long + description: Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. + - name: subscription.streaming_pull_ack_request.count + type: long + description: Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. + - name: subscription.streaming_pull_message_operation.count + type: long + description: Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count + - name: subscription.streaming_pull_mod_ack_deadline_message_operation.count + type: long + description: Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. + - name: subscription.streaming_pull_mod_ack_deadline_request.count + type: long + description: Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. + - name: subscription.streaming_pull_response.count + type: long + description: Cumulative count of streaming pull responses, grouped by result. + - name: subscription.unacked_bytes_by_region.bytes + type: long + description: Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. + - name: topic.byte_cost.bytes + type: long + description: Cost of operations, measured in bytes. This is used to measure utilization for quotas. + - name: topic.config_updates.count + type: long + description: Cumulative count of configuration changes, grouped by operation type and result. + - name: topic.message_sizes.bytes + type: object + object_type: histogram + description: Distribution of publish message sizes (in bytes) + - name: topic.oldest_retained_acked_message_age_by_region.value + type: long + description: Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. + - name: topic.oldest_unacked_message_age_by_region.value + type: long + description: Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. + - name: topic.retained_acked_bytes_by_region.bytes + type: long + description: Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. + - name: topic.send_message_operation.count + type: long + description: Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. + - name: topic.send_request.count + type: long + description: Cumulative count of publish requests, grouped by result. + - name: topic.streaming_pull_response.count + type: long + description: Cumulative count of streaming pull responses, grouped by result. + - name: topic.unacked_bytes_by_region.bytes + type: long + description: Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. + - name: subscription.ack_latencies.value + type: object + object_type: histogram + description: Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. + - name: subscription.push_request_latencies.value + type: object + object_type: histogram + description: Distribution of push request latencies (in microseconds), grouped by result. diff --git a/packages/gcp/2.13.0/data_stream/pubsub/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/pubsub/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/pubsub/manifest.yml b/packages/gcp/2.13.0/data_stream/pubsub/manifest.yml new file mode 100755 index 0000000000..39d8944a03 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP PubSub Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP PubSub Metrics + description: Collect GCP PubSub Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/pubsub/sample_event.json b/packages/gcp/2.13.0/data_stream/pubsub/sample_event.json new file mode 100755 index 0000000000..c8419630eb --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/pubsub/sample_event.json @@ -0,0 +1,49 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.pubsub", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "pubsub": { + "subscription": { + "backlog": { + "bytes": 0 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "pubsub", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/redis/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/redis/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..f49f27a487 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/agent/stream/stream.yml.hbs @@ -0,0 +1,50 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: redis + metric_types: + - "clients/blocked" + - "clients/connected" + - "commands/calls" + - "commands/total_time" + - "commands/usec_per_call" + - "keyspace/avg_ttl" + - "keyspace/keys" + - "keyspace/keys_with_expiration" + - "persistence/rdb/bgsave_in_progress" + - "replication/master/slaves/lag" + - "replication/master/slaves/offset" + - "replication/master_repl_offset" + - "replication/offset_diff" + - "replication/role" + - "server/uptime" + - "stats/cache_hit_ratio" + - "stats/connections/total" + - "stats/cpu_utilization" + - "stats/evicted_keys" + - "stats/expired_keys" + - "stats/keyspace_hits" + - "stats/keyspace_misses" + - "stats/memory/maxmemory" + - "stats/memory/system_memory_overload_duration" + - "stats/memory/system_memory_usage_ratio" + - "stats/memory/usage" + - "stats/memory/usage_ratio" + - "stats/network_traffic" + - "stats/pubsub/channels" + - "stats/pubsub/patterns" + - "stats/reject_connections_count" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..6760e205f0 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,131 @@ +--- +description: Pipeline for parsing GCP Redis metrics. +processors: + - rename: + field: gcp.metrics.clients.blocked.value + target_field: gcp.redis.clients.blocked.count + ignore_missing: true + - rename: + field: gcp.metrics.clients.connected.value + target_field: gcp.redis.clients.connected.count + ignore_missing: true + - rename: + field: gcp.metrics.commands.calls.value + target_field: gcp.redis.commands.calls.count + ignore_missing: true + - rename: + field: gcp.metrics.commands.total_time.value + target_field: gcp.redis.commands.total_time.us + ignore_missing: true + - rename: + field: gcp.metrics.commands.usec_per_call.value + target_field: gcp.redis.commands.usec_per_call.sec + ignore_missing: true + - rename: + field: gcp.metrics.keyspace.avg_ttl.value + target_field: gcp.redis.keyspace.avg_ttl.sec + ignore_missing: true + - rename: + field: gcp.metrics.keyspace.keys.value + target_field: gcp.redis.keyspace.keys.count + ignore_missing: true + - rename: + field: gcp.metrics.keyspace.keys_with_expiration.value + target_field: gcp.redis.keyspace.keys_with_expiration.count + ignore_missing: true + - rename: + field: gcp.metrics.persistence.rdb.bgsave_in_progress.value + target_field: gcp.redis.persistence.rdb.bgsave_in_progress + ignore_missing: true + - rename: + field: gcp.metrics.replication.master.slaves.lag.value + target_field: gcp.redis.replication.master.slaves.lag.sec + ignore_missing: true + - rename: + field: gcp.metrics.replication.master.slaves.offset.value + target_field: gcp.redis.replication.master.slaves.offset.bytes + ignore_missing: true + - rename: + field: gcp.metrics.replication.master_repl_offset.value + target_field: gcp.redis.replication.master_repl_offset.bytes + ignore_missing: true + - rename: + field: gcp.metrics.replication.offset_diff.value + target_field: gcp.redis.replication.offset_diff.bytes + ignore_missing: true + - rename: + field: gcp.metrics.replication.role.value + target_field: gcp.redis.replication.role + ignore_missing: true + - rename: + field: gcp.metrics.server.uptime.value + target_field: gcp.redis.server.uptime.sec + ignore_missing: true + - rename: + field: gcp.metrics.stats.cache_hit_ratio.value + target_field: gcp.redis.stats.cache_hit_ratio + ignore_missing: true + - rename: + field: gcp.metrics.stats.connections.total.value + target_field: gcp.redis.stats.connections.total.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.cpu_utilization.value + target_field: gcp.redis.stats.cpu_utilization.sec + ignore_missing: true + - rename: + field: gcp.metrics.stats.evicted_keys.value + target_field: gcp.redis.stats.evicted_keys.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.expired_keys.value + target_field: gcp.redis.stats.expired_keys.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.keyspace_hits.value + target_field: gcp.redis.stats.keyspace_hits.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.keyspace_misses.value + target_field: gcp.redis.stats.keyspace_misses.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.memory.maxmemory.value + target_field: gcp.redis.stats.memory.maxmemory.mb + ignore_missing: true + - rename: + field: gcp.metrics.stats.memory.system_memory_overload_duration.value + target_field: gcp.redis.stats.memory.system_memory_overload_duration.us + ignore_missing: true + - rename: + field: gcp.metrics.stats.memory.system_memory_usage_ratio.value + target_field: gcp.redis.stats.memory.system_memory_usage_ratio + ignore_missing: true + - rename: + field: gcp.metrics.stats.memory.usage.value + target_field: gcp.redis.stats.memory.usage.bytes + ignore_missing: true + - rename: + field: gcp.metrics.stats.memory.usage_ratio.value + target_field: gcp.redis.stats.memory.usage_ratio + ignore_missing: true + - rename: + field: gcp.metrics.stats.network_traffic.value + target_field: gcp.redis.stats.network_traffic.bytes + ignore_missing: true + - rename: + field: gcp.metrics.stats.pubsub.channels.value + target_field: gcp.redis.stats.pubsub.channels.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.pubsub.patterns.value + target_field: gcp.redis.stats.pubsub.patterns.count + ignore_missing: true + - rename: + field: gcp.metrics.stats.reject_connections_count.value + target_field: gcp.redis.stats.reject_connections.count + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/redis/fields/agent.yml b/packages/gcp/2.13.0/data_stream/redis/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/redis/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/redis/fields/base-fields.yml new file mode 100755 index 0000000000..04b25f1af4 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.redis diff --git a/packages/gcp/2.13.0/data_stream/redis/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/redis/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/redis/fields/fields.yml b/packages/gcp/2.13.0/data_stream/redis/fields/fields.yml new file mode 100755 index 0000000000..b3a1d72c5b --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/fields/fields.yml @@ -0,0 +1,141 @@ +- name: gcp.redis + description: Google Cloud Redis metrics + type: group + fields: + - name: clients.blocked.count + type: long + metric_type: gauge + description: Number of blocked clients. + - name: clients.connected.count + type: long + metric_type: gauge + description: Number of client connections. + - name: commands.calls.count + type: long + metric_type: counter + description: Total number of calls for this command in one minute. + - name: commands.total_time.us + type: long + unit: micros + metric_type: counter + description: The amount of time in microseconds that this command took in the last second. + - name: commands.usec_per_call.sec + type: double + unit: s + metric_type: gauge + description: Average time per call over 1 minute by command. + - name: keyspace.avg_ttl.sec + type: double + unit: s + metric_type: gauge + description: Average TTL for keys in this database. + - name: keyspace.keys.count + type: long + metric_type: gauge + description: Number of keys stored in this database. + - name: keyspace.keys_with_expiration.count + type: long + metric_type: gauge + description: Number of keys with an expiration in this database. + - name: persistence.rdb.bgsave_in_progress + type: boolean + metric_type: gauge + description: Flag indicating a RDB save is on-going. + - name: replication.master.slaves.lag.sec + type: long + unit: s + metric_type: gauge + description: The number of seconds that replica is lagging behind primary. + - name: replication.master.slaves.offset.bytes + type: long + unit: byte + metric_type: gauge + description: The number of bytes that have been acknowledged by replicas. + - name: replication.master_repl_offset.bytes + type: long + unit: byte + metric_type: gauge + description: The number of bytes that master has produced and sent to replicas. + - name: replication.offset_diff.bytes + type: long + unit: byte + metric_type: gauge + description: The largest number of bytes that have not been replicated across all replicas. This is the biggest difference between replication byte offset (master) and replication byte offset (replica) of all replicas. + - name: replication.role + type: long + metric_type: gauge + description: Returns a value indicating the node role. 1 indicates primary and 0 indicates replica. + - name: server.uptime.sec + type: long + unit: s + metric_type: gauge + description: Uptime in seconds. + - name: stats.cache_hit_ratio + type: double + metric_type: gauge + description: Cache Hit ratio as a fraction. + - name: stats.connections.total.count + type: long + metric_type: counter + description: Total number of connections accepted by the server. + - name: stats.cpu_utilization.sec + type: double + unit: s + metric_type: gauge + description: CPU-seconds consumed by the Redis server, broken down by system/user space and parent/child relationship. + - name: stats.evicted_keys.count + type: long + metric_type: counter + description: Number of evicted keys due to maxmemory limit. + - name: stats.expired_keys.count + type: long + metric_type: counter + description: Total number of key expiration events. + - name: stats.keyspace_hits.count + type: long + metric_type: counter + description: Number of successful lookup of keys in the main dictionary. + - name: stats.keyspace_misses.count + type: long + metric_type: counter + description: Number of failed lookup of keys in the main dictionary. + - name: stats.memory.maxmemory.mb + type: long + unit: m + metric_type: gauge + description: Maximum amount of memory Redis can consume. + - name: stats.memory.system_memory_overload_duration.us + type: long + unit: micros + metric_type: gauge + description: The amount of time in microseconds the instance is in system memory overload mode. + - name: stats.memory.system_memory_usage_ratio + type: double + metric_type: gauge + description: Memory usage as a ratio of maximum system memory. + - name: stats.memory.usage.bytes + type: long + unit: byte + metric_type: gauge + description: Total number of bytes allocated by Redis. + - name: stats.memory.usage_ratio + type: double + metric_type: gauge + description: Memory usage as a ratio of maximum memory. + - name: stats.network_traffic.bytes + type: long + unit: byte + metric_type: counter + description: Total number of bytes sent to/from redis (includes bytes from commands themselves, payload data, and delimiters). + - name: stats.pubsub.channels.count + type: long + metric_type: gauge + description: Global number of pub/sub channels with client subscriptions. + - name: stats.pubsub.patterns.count + type: long + metric_type: gauge + description: Global number of pub/sub pattern with client subscriptions. + - name: stats.reject_connections.count + type: long + metric_type: gauge + description: Number of connections rejected because of maxclients limit. diff --git a/packages/gcp/2.13.0/data_stream/redis/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/redis/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/redis/manifest.yml b/packages/gcp/2.13.0/data_stream/redis/manifest.yml new file mode 100755 index 0000000000..34af2e39c8 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP Redis Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Redis Metrics + description: Collect GCP Redis Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/redis/sample_event.json b/packages/gcp/2.13.0/data_stream/redis/sample_event.json new file mode 100755 index 0000000000..d4a07632b0 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/redis/sample_event.json @@ -0,0 +1,49 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.redis", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "redis": { + "clients": { + "blocked": { + "count": 4 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "metrics", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/2.13.0/data_stream/storage/agent/stream/stream.yml.hbs new file mode 100755 index 0000000000..cd1f37e511 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/agent/stream/stream.yml.hbs @@ -0,0 +1,28 @@ +metricsets: ["metrics"] +period: {{period}} +project_id: {{project_id}} +{{#if credentials_file}} +credentials_file_path: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if region}} +region: {{region}} +{{/if}} +{{#if zone}} +zone: {{zone}} +{{/if}} +exclude_labels: {{exclude_labels}} +metrics: + - service: storage + metric_types: + - "api/request_count" + - "authz/acl_based_object_access_count" + - "authz/acl_operations_count" + - "authz/object_specific_acl_mutation_count" + - "network/received_bytes_count" + - "network/sent_bytes_count" + - "storage/object_count" + - "storage/total_byte_seconds" + - "storage/total_bytes" \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/storage/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/storage/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..011741d2b4 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,47 @@ +--- +description: Pipeline for parsing GCP Storage metrics. +processors: + - rename: + field: gcp.metrics.api.request.count + target_field: gcp.storage.api.request.count + ignore_missing: true + - rename: + field: gcp.metrics.authz.acl_based_object_access.count + target_field: gcp.storage.authz.acl_based_object_access.count + ignore_missing: true + - rename: + field: gcp.metrics.authz.acl_operations.count + target_field: gcp.storage.authz.acl_operations.count + ignore_missing: true + - rename: + field: gcp.metrics.authz.object_specific_acl_mutation.count + target_field: gcp.storage.authz.object_specific_acl_mutation.count + ignore_missing: true + - rename: + field: gcp.metrics.network.received.bytes + target_field: gcp.storage.network.received.bytes + ignore_missing: true + - rename: + field: gcp.metrics.network.sent.bytes + target_field: gcp.storage.network.sent.bytes + ignore_missing: true + - rename: + field: gcp.metrics.storage.object.count + target_field: gcp.storage.storage.object.count + ignore_missing: true + - rename: + field: gcp.metrics.storage.total_byte_seconds.bytes + target_field: gcp.storage.storage.total_byte_seconds.bytes + ignore_missing: true + - rename: + field: gcp.metrics.storage.total.bytes + target_field: gcp.storage.storage.total.bytes + ignore_missing: true + - remove: + field: + - gcp.metrics + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/storage/fields/agent.yml b/packages/gcp/2.13.0/data_stream/storage/fields/agent.yml new file mode 100755 index 0000000000..8e686410af --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/fields/agent.yml @@ -0,0 +1,160 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an GCP Compute VM and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/gcp/2.13.0/data_stream/storage/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/storage/fields/base-fields.yml new file mode 100755 index 0000000000..5f309fd4f7 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.storage diff --git a/packages/gcp/2.13.0/data_stream/storage/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/storage/fields/ecs.yml new file mode 100755 index 0000000000..50c7f8c166 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/fields/ecs.yml @@ -0,0 +1,39 @@ +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: |- + The cloud account name or alias used to identify different entities in a multi-tenant environment. + Examples: AWS account name, Google Cloud ORG display name. + name: cloud.account.name + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/storage/fields/fields.yml b/packages/gcp/2.13.0/data_stream/storage/fields/fields.yml new file mode 100755 index 0000000000..5e8d4e279b --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/fields/fields.yml @@ -0,0 +1,31 @@ +- name: gcp.storage + description: Google Cloud Storage metrics + type: group + fields: + - name: api.request.count + type: long + description: Delta count of API calls, grouped by the API method name and response code. + - name: authz.acl_based_object_access.count + type: long + description: Delta count of requests that result in an object being granted access solely due to object ACLs. + - name: authz.acl_operations.count + type: long + description: Usage of ACL operations broken down by type. + - name: authz.object_specific_acl_mutation.count + type: long + description: Delta count of changes made to object specific ACLs. + - name: network.received.bytes + type: long + description: Delta count of bytes received over the network, grouped by the API method name and response code. + - name: network.sent.bytes + type: long + description: Delta count of bytes sent over the network, grouped by the API method name and response code. + - name: storage.object.count + type: long + description: Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. + - name: storage.total_byte_seconds.bytes + type: long + description: Delta count of bytes received over the network, grouped by the API method name and response code. + - name: storage.total.bytes + type: long + description: Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. diff --git a/packages/gcp/2.13.0/data_stream/storage/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/storage/fields/package-fields.yml new file mode 100755 index 0000000000..d8ccb93f50 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/fields/package-fields.yml @@ -0,0 +1,31 @@ +- name: gcp + description: >- + GCP module + fields: + - name: labels + type: object + description: >- + GCP monitoring metrics labels + fields: + - name: user.* + type: object + object_type: keyword + - name: metadata.* + type: object + object_type: keyword + - name: metrics.* + type: object + object_type: keyword + - name: system.* + type: object + object_type: keyword + - name: resource.* + type: object + object_type: keyword + - name: "metrics.*.*.*.*" + type: object + object_type: double + object_type_mapping_type: "*" + description: > + Metrics that returned from Google Cloud API query. + diff --git a/packages/gcp/2.13.0/data_stream/storage/manifest.yml b/packages/gcp/2.13.0/data_stream/storage/manifest.yml new file mode 100755 index 0000000000..fff1d6910a --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/manifest.yml @@ -0,0 +1,31 @@ +title: "GCP Storage Metrics" +type: metrics +streams: + - input: gcp/metrics + title: GCP Storage Metrics + description: Collect GCP Storage Metrics + vars: + - name: zone + type: text + title: GCP Zone + multi: false + required: false + show_user: true + - name: region + type: text + title: GCP Region + multi: false + required: false + show_user: true + - name: period + type: text + title: Period + default: 60s + required: true + - name: exclude_labels + type: bool + title: Exclude Labels + description: Exclude additional labels from metrics + multi: false + required: false + show_user: true diff --git a/packages/gcp/2.13.0/data_stream/storage/sample_event.json b/packages/gcp/2.13.0/data_stream/storage/sample_event.json new file mode 100755 index 0000000000..0b0e8e65ed --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/storage/sample_event.json @@ -0,0 +1,54 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.storage", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "storage": { + "storage": { + "total": { + "bytes": 4472520191 + } + }, + "network": { + "received": { + "bytes": 4472520191 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "storage", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/2.13.0/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs new file mode 100755 index 0000000000..d582de0a80 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs @@ -0,0 +1,27 @@ +project_id: {{project_id}} +topic: {{topic}} +subscription.name: {{subscription_name}} +{{#if credentials_file}} +credentials_file: {{credentials_file}} +{{/if}} +{{#if credentials_json}} +credentials_json: '{{credentials_json}}' +{{/if}} +{{#if alternative_host}} +alternative_host: {{alternative_host}} +{{/if}} +subscription.create: {{subscription_create}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/2.13.0/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..52c89261fa --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,371 @@ +--- +description: Pipeline for Google Cloud VPC Flow Logs + +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - community_id: + source_ip: json.jsonPayload.connection.src_ip + source_port: json.jsonPayload.connection.src_port + destination_ip: json.jsonPayload.connection.dest_ip + destination_port: json.jsonPayload.connection.dest_port + iana_number: json.jsonPayload.connection.protocol + - date: + field: json.timestamp + timezone: UTC + formats: + - ISO8601 + - set: + field: event.kind + value: event + - set: + field: event.category + value: network + - set: + field: event.type + value: connection + - set: + field: event.id + copy_from: json.insertId + ignore_empty_value: true + ignore_failure: true + - set: + field: cloud.provider + value: gcp + - rename: + field: json.logName + target_field: log.logger + ignore_missing: true + - rename: + field: json.jsonPayload.connection.dest_ip + target_field: destination.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.dest_port + target_field: destination.port + ignore_missing: true + - rename: + field: json.jsonPayload.connection.protocol + target_field: network.iana_number + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_ip + target_field: source.address + ignore_missing: true + - rename: + field: json.jsonPayload.connection.src_port + target_field: source.port + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance.vm_name + target_field: source.domain + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance.vm_name + target_field: destination.domain + ignore_missing: true + - rename: + field: json.jsonPayload.bytes_sent + target_field: source.bytes + ignore_missing: true + - rename: + field: json.jsonPayload.packets_sent + target_field: source.packets + ignore_missing: true + - rename: + field: json.jsonPayload.start_time + target_field: event.start + ignore_missing: true + - rename: + field: json.jsonPayload.end_time + target_field: event.end + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.continent + target_field: destination.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.country + target_field: destination.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.region + target_field: destination.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_location.city + target_field: destination.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.continent + target_field: source.geo.continent_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.country + target_field: source.geo.country_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.region + target_field: source.geo.region_name + ignore_missing: true + - rename: + field: json.jsonPayload.src_location.city + target_field: source.geo.city_name + ignore_missing: true + - rename: + field: json.jsonPayload.dest_instance + target_field: gcp.destination.instance + ignore_missing: true + - rename: + field: json.jsonPayload.dest_vpc + target_field: gcp.destination.vpc + ignore_missing: true + - rename: + field: json.jsonPayload.src_instance + target_field: gcp.source.instance + ignore_missing: true + - rename: + field: json.jsonPayload.src_vpc + target_field: gcp.source.vpc + ignore_missing: true + - convert: + field: json.jsonPayload.rtt_msec + target_field: json.jsonPayload.rtt.ms + type: long + ignore_missing: true + - rename: + field: json.jsonPayload + target_field: gcp.vpcflow + ignore_missing: true + - convert: + field: source.bytes + type: long + ignore_missing: true + - convert: + field: source.packets + type: long + ignore_missing: true + - convert: + field: network.iana_number + type: string + ignore_missing: true + - script: + lang: painless + ignore_failure: true + if: ctx?.network?.iana_number != null + source: | + def iana_number = ctx.network.iana_number; + if (iana_number == '0') { + ctx.network.transport = 'hopopt'; + } else if (iana_number == '1') { + ctx.network.transport = 'icmp'; + } else if (iana_number == '2') { + ctx.network.transport = 'igmp'; + } else if (iana_number == '6') { + ctx.network.transport = 'tcp'; + } else if (iana_number == '8') { + ctx.network.transport = 'egp'; + } else if (iana_number == '17') { + ctx.network.transport = 'udp'; + } else if (iana_number == '47') { + ctx.network.transport = 'gre'; + } else if (iana_number == '50') { + ctx.network.transport = 'esp'; + } else if (iana_number == '58') { + ctx.network.transport = 'ipv6-icmp'; + } else if (iana_number == '112') { + ctx.network.transport = 'vrrp'; + } else if (iana_number == '132') { + ctx.network.transport = 'sctp'; + } + - remove: + field: + - gcp.vpcflow.rtt_msec + - gcp.vpcflow.connection + - gcp.vpcflow.dest_location + - gcp.vpcflow.src_location + - json + ignore_missing: true + - set: + field: source.ip + value: "{{source.address}}" + ignore_failure: true + if: ctx?.source?.address != null + - set: + field: destination.ip + value: "{{destination.address}}" + ignore_failure: true + if: ctx?.destination?.address != null + - convert: + field: gcp.source.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.source.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.gcp?.vpcflow?.reporter == "DEST" + - convert: + field: gcp.destination.instance.project_id + target_field: cloud.project.id + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.instance.vm_name + target_field: cloud.instance.name + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.instance.region + target_field: cloud.region + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.instance.zone + target_field: cloud.availability_zone + type: string + ignore_missing: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: gcp.destination.vpc.subnetwork_name + target_field: network.name + type: string + ignore_missing: true + ignore_failure: true + if: ctx?.gcp?.vpcflow?.reporter == "SRC" + - convert: + field: source.bytes + type: long + target_field: network.bytes + ignore_missing: true + - convert: + field: source.packets + type: long + target_field: network.packets + ignore_missing: true + - set: + field: network.direction + value: internal + if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null + - set: + field: network.direction + value: outbound + if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null + - set: + field: network.direction + value: inbound + if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null + - set: + field: network.direction + value: unknown + if: ctx?.network?.direction == null + - set: + field: network.type + value: ipv4 + if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".") + - set: + field: network.type + value: ipv6 + if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".") + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null && ctx?.source?.ip != "" + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null && ctx?.destination?.ip != "" + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/fields/agent.yml b/packages/gcp/2.13.0/data_stream/vpcflow/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/2.13.0/data_stream/vpcflow/fields/base-fields.yml new file mode 100755 index 0000000000..09f5a3a04a --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: gcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: gcp.vpcflow diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/2.13.0/data_stream/vpcflow/fields/ecs.yml new file mode 100755 index 0000000000..87e2bcffa2 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/fields/ecs.yml @@ -0,0 +1,265 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: Port of the destination. + name: destination.port + type: long +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: The name of the rule or signature generating the event. + name: rule.name + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/fields/fields.yml b/packages/gcp/2.13.0/data_stream/vpcflow/fields/fields.yml new file mode 100755 index 0000000000..afd0aca3fa --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/fields/fields.yml @@ -0,0 +1,11 @@ +- name: gcp.vpcflow + type: group + fields: + - name: reporter + type: keyword + description: | + The side which reported the flow. Can be either 'SRC' or 'DEST'. + - name: rtt.ms + type: long + description: | + Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/2.13.0/data_stream/vpcflow/fields/package-fields.yml new file mode 100755 index 0000000000..88482fd9c1 --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/fields/package-fields.yml @@ -0,0 +1,63 @@ +- name: gcp + type: group + fields: + - name: destination.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: destination.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. + - name: source.instance + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: region + type: keyword + description: | + Region of the VM. + - name: zone + type: keyword + description: | + Zone of the VM. + - name: source.vpc + type: group + fields: + - name: project_id + type: keyword + description: | + ID of the project containing the VM. + - name: vpc_name + type: keyword + description: | + VPC on which the VM is operating. + - name: subnetwork_name + type: keyword + description: | + Subnetwork on which the VM is operating. diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/manifest.yml b/packages/gcp/2.13.0/data_stream/vpcflow/manifest.yml new file mode 100755 index 0000000000..d6fd91bbab --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/manifest.yml @@ -0,0 +1,65 @@ +type: logs +title: Google Cloud Platform (GCP) vpcflow logs +streams: + - input: gcp-pubsub + vars: + - name: topic + type: text + title: Topic + description: Name of the topic where the logs are written to. + multi: false + required: true + show_user: true + default: cloud-logging-vpcflow + - name: subscription_name + type: text + title: Subscription Name + description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. + multi: false + required: true + show_user: true + default: filebeat-gcp-vpcflow + - name: subscription_create + type: bool + title: Subscription Create + description: If true, the integration will create the subscription on start. + multi: false + required: true + show_user: false + default: false + - name: alternative_host + type: text + title: Alternative host + multi: false + required: false + show_user: false + description: "Overrides the default Pub/Sub service address and disables TLS. For testing." + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - gcp-vpcflow + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: gcp-pubsub.yml.hbs + title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub) + description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input diff --git a/packages/gcp/2.13.0/data_stream/vpcflow/sample_event.json b/packages/gcp/2.13.0/data_stream/vpcflow/sample_event.json new file mode 100755 index 0000000000..a1244c2cca --- /dev/null +++ b/packages/gcp/2.13.0/data_stream/vpcflow/sample_event.json @@ -0,0 +1,127 @@ +{ + "@timestamp": "2019-06-14T03:50:10.845Z", + "agent": { + "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "my-sample-project" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.139.99.242", + "domain": "elasticsearch", + "ip": "10.139.99.242", + "port": 9200 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-06-28T02:48:14.443Z", + "dataset": "gcp.vpcflow", + "end": "2019-06-14T03:49:51.821056075Z", + "id": "ut8lbrffooxz5", + "ingested": "2022-06-28T02:48:15Z", + "kind": "event", + "start": "2019-06-14T03:40:20.510622432Z", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "source": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 201 + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "network": { + "bytes": 11773, + "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", + "direction": "internal", + "iana_number": "6", + "name": "default", + "packets": 94, + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, + "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, + "bytes": 11773, + "domain": "kibana", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "packets": 94, + "port": 33576 + }, + "tags": [ + "forwarded", + "gcp-vpcflow" + ] +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/docs/README.md b/packages/gcp/2.13.0/docs/README.md new file mode 100755 index 0000000000..1d599665e0 --- /dev/null +++ b/packages/gcp/2.13.0/docs/README.md @@ -0,0 +1,1542 @@ +# Google Cloud Platform Integration + +The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink. + +## Authentication + +To use this Google Cloud Platform (GCP) integration, you need to set up a +*Service Account* with a *Role* and a *Service Account Key* to access data on +your GCP project. + +### Service Account + +First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources. + +The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs. + +If you haven't already, this might be a good moment to check out the [best +practices for securing service +accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts) +guide. + +### Role + +You need to grant your Service Account (SA) access to Google Cloud Platform +resources by assigning a role to the account. In order to assign minimal +privileges, create a custom role that has only the privileges required by Agent. +Those privileges are: + +- `pubsub.subscriptions.consume` +- `pubsub.subscriptions.create` * +- `pubsub.subscriptions.get` +- `pubsub.topics.attachSubscription` * + +\* Only required if Agent is expected to create a new subscription. If you +create the subscriptions yourself you may omit these privileges. + +After you have created the custom role, assign the role to your service account. + +### Service Account Keys + +Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key. + +From the list of SA: + +1. Click the one you just created to open the detailed view. +2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type. +3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost). + +## Configure the Integration Settings + +The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow). + +The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration. + +### Project Id + +The Project Id is the Google Cloud project ID where your resources exist. + +### Credentials File vs Json + +Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field. + +#### Option 1: Credentials File + +Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file. + +Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`. + +#### Option 2: Credentials JSON + +Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration. + +#### Recommendations + +Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data. + +## Logs Collection Configuration + +With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs. + +### Requirements + +You need to create a few dedicated Google Cloud resources before starting, in detail: + +- Log Sink +- Pub/Sub Topic +- Subscription + +Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream. + +Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration. + +### On the Google Cloud Console + +At a high level, the steps required are: + +- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description. +- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration. +- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings. +- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs. + +This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic. + +More example filters for different log types: + +```text +# +# VPC Flow: logs for specific subnet +# +resource.type="gce_subnetwork" AND +log_id("compute.googleapis.com/vpc_flows") AND +resource.labels.subnetwork_name"=[SUBNET_NAME]" +# +# Audit: Google Compute Engine firewall rule deletion +# +resource.type="gce_firewall_rule" AND +log_id("cloudaudit.googleapis.com/activity") AND +protoPayload.methodName:"firewalls.delete" +# +# DNS: all DNS queries +# +resource.type="dns_query" +# +# Firewall: logs for a given country +# +resource.type="gce_subnetwork" AND +log_id("compute.googleapis.com/firewall") AND +jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3] +``` + +Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack. + +To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs. + +### On Kibana + +Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created. + +From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and: + +- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console. +- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console). +- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy. + +### Troubleshooting + +If you don't see Audit logs showing up, check the Agent logs to see if there are errors. + +Common error types: + +- Missing roles in the Service Account +- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields + +#### Missing Roles in the Service Account + +If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset: + +```text +failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action. +``` + +Solution: make sure your SA has all the required roles. + +#### Misconfigured Settings + +If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset: + +```text +[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information. +``` + +Solution: double check the integration settings. + +## Logs + +### Audit + +The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.user.email | User email address. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | +| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | +| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | +| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | +| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | +| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | +| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | +| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | +| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | +| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | +| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | +| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | +| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | +| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | +| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | +| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | +| gcp.audit.request | | flattened | +| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | +| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | +| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | +| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | +| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | +| gcp.audit.response | | flattened | +| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | +| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | +| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | +| gcp.audit.type | Type property. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| orchestrator.api_version | API version being used to carry out the action | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| orchestrator.cluster.version | The version of the cluster. | keyword | +| orchestrator.namespace | Namespace in which the action is taking place. | keyword | +| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | +| orchestrator.resource.name | Name of the resource being acted upon. | keyword | +| orchestrator.resource.type | Type of resource being acted upon. | keyword | +| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.email | User email address. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2019-12-19T00:44:25.051Z", + "agent": { + "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "client": { + "user": { + "email": "xxx@xxx.xxx" + } + }, + "cloud": { + "project": { + "id": "elastic-beats" + }, + "provider": "gcp" + }, + "data_stream": { + "dataset": "gcp.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "beta.compute.instances.aggregatedList", + "agent_id_status": "verified", + "category": [ + "network", + "configuration" + ], + "created": "2022-06-28T02:45:52.230Z", + "dataset": "gcp.audit", + "id": "yonau2dg2zi", + "ingested": "2022-06-28T02:45:53Z", + "kind": "event", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authorization_info": [ + { + "granted": true, + "permission": "compute.instances.list", + "resource_attributes": { + "name": "projects/elastic-beats", + "service": "resourcemanager", + "type": "resourcemanager.projects" + } + } + ], + "num_response_items": 61, + "request": { + "@type": "type.googleapis.com/compute.instances.aggregatedList" + }, + "resource_location": { + "current_locations": [ + "global" + ] + }, + "resource_name": "projects/elastic-beats/global/instances", + "response": { + "@type": "core.k8s.io/v1.Status", + "apiVersion": "v1", + "details": { + "group": "batch", + "kind": "jobs", + "name": "gsuite-exporter-1589294700", + "uid": "2beff34a-945f-11ea-bacf-42010a80007f" + }, + "kind": "Status", + "status_value": "Success" + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "service": { + "name": "compute.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "gcp-audit" + ], + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "71.0." + } +} +``` + +### Firewall + +The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | +| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | +| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | +| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | +| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | +| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | +| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `firewall` looks as following: + +```json +{ + "@timestamp": "2019-10-30T13:52:42.191Z", + "agent": { + "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "test-beats" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.42.0.2", + "domain": "test-windows", + "ip": "10.42.0.2", + "port": 3389 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": "network", + "created": "2022-06-28T02:47:26.097Z", + "dataset": "gcp.firewall", + "id": "1f21ciqfpfssuo", + "ingested": "2022-06-28T02:47:27Z", + "kind": "event", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "test-beats", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "test-beats", + "subnetwork_name": "windows-isolated", + "vpc_name": "windows-isolated" + } + }, + "firewall": { + "rule_details": { + "action": "ALLOW", + "direction": "INGRESS", + "ip_port_info": [ + { + "ip_protocol": "TCP", + "port_range": [ + "3389" + ] + } + ], + "priority": 1000, + "source_range": [ + "0.0.0.0/0" + ], + "target_tag": [ + "allow-rdp" + ] + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" + }, + "network": { + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", + "direction": "inbound", + "iana_number": "6", + "name": "windows-isolated", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.2.126", + "10.42.0.2" + ] + }, + "rule": { + "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" + }, + "source": { + "address": "192.168.2.126", + "geo": { + "continent_name": "Asia", + "country_name": "omn" + }, + "ip": "192.168.2.126", + "port": 64853 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ] +} +``` + +### VPC Flow + +The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | +| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `vpcflow` looks as following: + +```json +{ + "@timestamp": "2019-06-14T03:50:10.845Z", + "agent": { + "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "my-sample-project" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.139.99.242", + "domain": "elasticsearch", + "ip": "10.139.99.242", + "port": 9200 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-06-28T02:48:14.443Z", + "dataset": "gcp.vpcflow", + "end": "2019-06-14T03:49:51.821056075Z", + "id": "ut8lbrffooxz5", + "ingested": "2022-06-28T02:48:15Z", + "kind": "event", + "start": "2019-06-14T03:40:20.510622432Z", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "source": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 201 + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "network": { + "bytes": 11773, + "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", + "direction": "internal", + "iana_number": "6", + "name": "default", + "packets": 94, + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, + "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, + "bytes": 11773, + "domain": "kibana", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "packets": 94, + "port": 33576 + }, + "tags": [ + "forwarded", + "gcp-vpcflow" + ] +} +``` + +### DNS + +The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.dns.auth_answer | Authoritative answer. | boolean | +| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | +| gcp.dns.egress_error | Egress proxy error. | keyword | +| gcp.dns.protocol | Protocol TCP or UDP. | keyword | +| gcp.dns.query_name | DNS query name. | keyword | +| gcp.dns.query_type | DNS query type. | keyword | +| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | +| gcp.dns.response_code | Response code. | keyword | +| gcp.dns.server_latency | Server latency. | integer | +| gcp.dns.source_ip | Source IP address of the query. | ip | +| gcp.dns.source_network | Source network of the query. | keyword | +| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | +| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | +| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `dns` looks as following: + +```json +{ + "@timestamp": "2021-12-12T15:59:40.446Z", + "agent": { + "ephemeral_id": "87190725-9632-41a5-ba26-ebffca397d74", + "id": "0168f0f0-b64d-4a7a-ba00-c309f9e7f0ca", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "cloud": { + "project": { + "id": "key-reference-123456" + }, + "provider": "gcp", + "region": "global" + }, + "data_stream": { + "dataset": "gcp.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "216.239.32.106", + "ip": "216.239.32.106" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "67.43.156.13", + "name": "asdf.gcp.example.com.", + "ttl": 300, + "type": "A" + } + ], + "question": { + "name": "asdf.gcp.example.com", + "registered_domain": "example.com", + "subdomain": "asdf.gcp", + "top_level_domain": "com", + "type": "A" + }, + "resolved_ip": [ + "67.43.156.13" + ], + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "0168f0f0-b64d-4a7a-ba00-c309f9e7f0ca", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "dns-query", + "agent_id_status": "verified", + "category": "network", + "created": "2022-10-03T22:33:56.157Z", + "dataset": "gcp.dns", + "id": "zir4wud11tm", + "ingested": "2022-10-03T22:33:57Z", + "kind": "event", + "outcome": "success" + }, + "gcp": { + "dns": { + "auth_answer": true, + "destination_ip": "216.239.32.106", + "protocol": "UDP", + "query_name": "asdf.gcp.example.com.", + "query_type": "A", + "response_code": "NOERROR", + "server_latency": 0, + "source_type": "internet", + "target_type": "public-zone" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/key-reference-123456/logs/dns.googleapis.com%2Fdns_queries" + }, + "network": { + "iana_number": "17", + "protocol": "dns", + "transport": "udp" + }, + "related": { + "hosts": [ + "asdf.gcp.example.com" + ], + "ip": [ + "67.43.156.13", + "216.239.32.106" + ] + }, + "tags": [ + "forwarded", + "gcp-dns" + ] +} +``` + +## Metrics + +### Billing + +The `billing` dataset collects GCP Billing information from Google Cloud BigQuery daily cost detail table. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | +| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | +| gcp.billing.invoice_month | Billing report month. | keyword | +| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | +| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | +| gcp.billing.total | Total billing amount. | float | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | + + +An example event for `billing` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "01475F-5B1080-1137E7" + }, + "project": { + "id": "elastic-bi", + "name": "elastic-containerlib-prod" + }, + "provider": "gcp" + }, + "event": { + "dataset": "gcp.billing", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "billing": { + "billing_account_id": "01475F-5B1080-1137E7", + "cost_type": "regular", + "invoice_month": "202106", + "project_id": "containerlib-prod-12763", + "project_name": "elastic-containerlib-prod", + "total": 4717.170681 + } + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +### Compute + +The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | +| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | +| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | +| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | +| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | +| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | +| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | +| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | +| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | +| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | +| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | +| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | +| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | +| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | +| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | + + +An example event for `compute` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.compute", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "compute": { + "firewall": { + "dropped": { + "bytes": 421 + }, + "dropped_packets_count": { + "value": 4 + } + }, + "instance": { + "cpu": { + "reserved_cores": { + "value": 1 + }, + "usage": { + "pct": 0.07259952346383708 + }, + "usage_time": { + "sec": 4.355971407830225 + } + }, + "memory": { + "balloon": { + "ram_size": { + "value": 4128378880 + }, + "ram_used": { + "value": 2190848000 + }, + "swap_in": { + "bytes": 0 + }, + "swap_out": { + "bytes": 0 + } + } + }, + "uptime": { + "sec": 60.00000000000091 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "compute", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +### Firestore + +The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.firestore.document.delete.count | The number of successful document deletes. | long | +| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | +| gcp.firestore.document.write.count | The number of successful document writes. | long | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | + + +An example event for `firestore` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.firestore", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "firestore": { + "document": { + "delete": { + "count": 3 + }, + "read": { + "count": 10 + }, + "write": { + "count": 1 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "firestore", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` \ No newline at end of file diff --git a/packages/gcp/2.13.0/docs/audit.md b/packages/gcp/2.13.0/docs/audit.md new file mode 100755 index 0000000000..ec4a74ece5 --- /dev/null +++ b/packages/gcp/2.13.0/docs/audit.md @@ -0,0 +1,268 @@ +# Audit + +## Logs + +The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.user.email | User email address. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword | +| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword | +| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword | +| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean | +| gcp.audit.authorization_info.permission | The required IAM permission. | keyword | +| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword | +| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword | +| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword | +| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword | +| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened | +| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean | +| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword | +| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean | +| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword | +| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword | +| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long | +| gcp.audit.request | | flattened | +| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip | +| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword | +| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword | +| gcp.audit.resource_location.current_locations | Current locations of the resource. | array | +| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword | +| gcp.audit.response | | flattened | +| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword | +| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer | +| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword | +| gcp.audit.type | Type property. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| orchestrator.api_version | API version being used to carry out the action | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| orchestrator.cluster.version | The version of the cluster. | keyword | +| orchestrator.namespace | Namespace in which the action is taking place. | keyword | +| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword | +| orchestrator.resource.name | Name of the resource being acted upon. | keyword | +| orchestrator.resource.type | Type of resource being acted upon. | keyword | +| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.email | User email address. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2019-12-19T00:44:25.051Z", + "agent": { + "ephemeral_id": "9edf0b6c-05b7-451e-83ad-13b2a23bf4e5", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "client": { + "user": { + "email": "xxx@xxx.xxx" + } + }, + "cloud": { + "project": { + "id": "elastic-beats" + }, + "provider": "gcp" + }, + "data_stream": { + "dataset": "gcp.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "beta.compute.instances.aggregatedList", + "agent_id_status": "verified", + "category": [ + "network", + "configuration" + ], + "created": "2022-06-28T02:45:52.230Z", + "dataset": "gcp.audit", + "id": "yonau2dg2zi", + "ingested": "2022-06-28T02:45:53Z", + "kind": "event", + "outcome": "success", + "provider": "data_access", + "type": [ + "access", + "allowed" + ] + }, + "gcp": { + "audit": { + "authorization_info": [ + { + "granted": true, + "permission": "compute.instances.list", + "resource_attributes": { + "name": "projects/elastic-beats", + "service": "resourcemanager", + "type": "resourcemanager.projects" + } + } + ], + "num_response_items": 61, + "request": { + "@type": "type.googleapis.com/compute.instances.aggregatedList" + }, + "resource_location": { + "current_locations": [ + "global" + ] + }, + "resource_name": "projects/elastic-beats/global/instances", + "response": { + "@type": "core.k8s.io/v1.Status", + "apiVersion": "v1", + "details": { + "group": "batch", + "kind": "jobs", + "name": "gsuite-exporter-1589294700", + "uid": "2beff34a-945f-11ea-bacf-42010a80007f" + }, + "kind": "Status", + "status_value": "Success" + }, + "type": "type.googleapis.com/google.cloud.audit.AuditLog" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access" + }, + "service": { + "name": "compute.googleapis.com" + }, + "source": { + "ip": "192.168.1.1" + }, + "tags": [ + "forwarded", + "gcp-audit" + ], + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "71.0." + } +} +``` \ No newline at end of file diff --git a/packages/gcp/2.13.0/docs/billing.md b/packages/gcp/2.13.0/docs/billing.md new file mode 100755 index 0000000000..0612813219 --- /dev/null +++ b/packages/gcp/2.13.0/docs/billing.md @@ -0,0 +1,106 @@ +# Billing + +## Metrics + +The `billing` dataset collects [Cloud Billing Reports](https://cloud.google.com/billing/docs/reports) information from Google Cloud BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data warehouse. Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from BigQuery for detailed analysis. + +Please see [export cloud billing data to BigQuery](https://cloud.google.com/billing/docs/how-to/export-data-bigquery) for more details on how to export billing data. + +In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data table named `gcp_billing_export_v1_`. There is a defined schema for Google Cloud daily cost data that is exported to BigQuery. Please see [daily cost detail data schema](https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema) for more details. + +## Sample Event + +An example event for `billing` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "01475F-5B1080-1137E7" + }, + "project": { + "id": "elastic-bi", + "name": "elastic-containerlib-prod" + }, + "provider": "gcp" + }, + "event": { + "dataset": "gcp.billing", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "billing": { + "billing_account_id": "01475F-5B1080-1137E7", + "cost_type": "regular", + "invoice_month": "202106", + "project_id": "containerlib-prod-12763", + "project_name": "elastic-containerlib-prod", + "total": 4717.170681 + } + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.billing.billing_account_id | Project Billing Account ID. | keyword | +| gcp.billing.cost_type | Cost types include regular, tax, adjustment, and rounding_error. | keyword | +| gcp.billing.invoice_month | Billing report month. | keyword | +| gcp.billing.project_id | Project ID of the billing report belongs to. | keyword | +| gcp.billing.project_name | Project Name of the billing report belongs to. | keyword | +| gcp.billing.total | Total billing amount. | float | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/compute.md b/packages/gcp/2.13.0/docs/compute.md new file mode 100755 index 0000000000..34b3d0eee8 --- /dev/null +++ b/packages/gcp/2.13.0/docs/compute.md @@ -0,0 +1,172 @@ +# Compute + +## Metrics + +The `compute` dataset is designed to fetch metrics for [Compute Engine](https://cloud.google.com/compute/) Virtual Machines in Google Cloud Platform. It contains all metrics exported from the [GCP Cloud Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-compute). + +Extra labels and metadata are also extracted using the [Compute API](https://cloud.google.com/compute/docs/reference/rest/v1/instances/get). This is enough to get most of the info associated with a metric like Compute labels and metadata and metric specific Labels. + +## Sample Event + +An example event for `compute` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.compute", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "compute": { + "firewall": { + "dropped": { + "bytes": 421 + }, + "dropped_packets_count": { + "value": 4 + } + }, + "instance": { + "cpu": { + "reserved_cores": { + "value": 1 + }, + "usage": { + "pct": 0.07259952346383708 + }, + "usage_time": { + "sec": 4.355971407830225 + } + }, + "memory": { + "balloon": { + "ram_size": { + "value": 4128378880 + }, + "ram_used": { + "value": 2190848000 + }, + "swap_in": { + "bytes": 0 + }, + "swap_out": { + "bytes": 0 + } + } + }, + "uptime": { + "sec": 60.00000000000091 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "compute", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.compute.firewall.dropped.bytes | Incoming bytes dropped by the firewall | long | +| gcp.compute.firewall.dropped_packets_count.value | Incoming packets dropped by the firewall | long | +| gcp.compute.instance.cpu.reserved_cores.value | Number of cores reserved on the host of the instance | double | +| gcp.compute.instance.cpu.usage.pct | The fraction of the allocated CPU that is currently in use on the instance | double | +| gcp.compute.instance.cpu.usage_time.sec | Usage for all cores in seconds | double | +| gcp.compute.instance.disk.read.bytes | Count of bytes read from disk | long | +| gcp.compute.instance.disk.read_ops_count.value | Count of disk read IO operations | long | +| gcp.compute.instance.disk.write.bytes | Count of bytes written to disk | long | +| gcp.compute.instance.disk.write_ops_count.value | Count of disk write IO operations | long | +| gcp.compute.instance.memory.balloon.ram_size.value | The total amount of memory in the VM. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.memory.balloon.ram_used.value | Memory currently used in the VM. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.memory.balloon.swap_in.bytes | The amount of memory read into the guest from its own swap space. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.memory.balloon.swap_out.bytes | The amount of memory written from the guest to its own swap space. This metric is only available for VMs that belong to the e2 family. | long | +| gcp.compute.instance.network.egress.bytes | Count of bytes sent over the network | long | +| gcp.compute.instance.network.egress.packets.count | Count of packets sent over the network | long | +| gcp.compute.instance.network.ingress.bytes | Count of bytes received from the network | long | +| gcp.compute.instance.network.ingress.packets.count | Count of packets received from the network | long | +| gcp.compute.instance.uptime.sec | Number of seconds the VM has been running. | long | +| gcp.compute.instance.uptime_total.sec | Elapsed time since the VM was started, in seconds. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/dataproc.md b/packages/gcp/2.13.0/docs/dataproc.md new file mode 100755 index 0000000000..0b90005cea --- /dev/null +++ b/packages/gcp/2.13.0/docs/dataproc.md @@ -0,0 +1,142 @@ +# Dataproc + +## Metrics + +The `dataproc` dataset fetches metrics from [Dataproc](https://cloud.google.com/dataproc/) in Google Cloud Platform. It contains all metrics exported from the [GCP Dataproc Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-dataproc). + +You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Dataproc is a regional service. If no region is specified, it will return metrics from all buckets. + +## Sample Event + +An example event for `dataproc` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.dataproc", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "dataproc": { + "cluster": { + "hdfs": { + "datanodes": { + "count": 15 + } + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "dataproc", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.dataproc.batch.spark.executors.count | Indicates the number of Batch Spark executors. | long | +| gcp.dataproc.cluster.hdfs.datanodes.count | Indicates the number of HDFS DataNodes that are running inside a cluster. | long | +| gcp.dataproc.cluster.hdfs.storage_capacity.value | Indicates capacity of HDFS system running on cluster in GB. | double | +| gcp.dataproc.cluster.hdfs.storage_utilization.value | The percentage of HDFS storage currently used. | double | +| gcp.dataproc.cluster.hdfs.unhealthy_blocks.count | Indicates the number of unhealthy blocks inside the cluster. | long | +| gcp.dataproc.cluster.job.completion_time.value | The time jobs took to complete from the time the user submits a job to the time Dataproc reports it is completed. | object | +| gcp.dataproc.cluster.job.duration.value | The time jobs have spent in a given state. | object | +| gcp.dataproc.cluster.job.failed.count | Indicates the number of jobs that have failed on a cluster. | long | +| gcp.dataproc.cluster.job.running.count | Indicates the number of jobs that are running on a cluster. | long | +| gcp.dataproc.cluster.job.submitted.count | Indicates the number of jobs that have been submitted to a cluster. | long | +| gcp.dataproc.cluster.operation.completion_time.value | The time operations took to complete from the time the user submits a operation to the time Dataproc reports it is completed. | object | +| gcp.dataproc.cluster.operation.duration.value | The time operations have spent in a given state. | object | +| gcp.dataproc.cluster.operation.failed.count | Indicates the number of operations that have failed on a cluster. | long | +| gcp.dataproc.cluster.operation.running.count | Indicates the number of operations that are running on a cluster. | long | +| gcp.dataproc.cluster.operation.submitted.count | Indicates the number of operations that have been submitted to a cluster. | long | +| gcp.dataproc.cluster.yarn.allocated_memory_percentage.value | The percentage of YARN memory is allocated. | double | +| gcp.dataproc.cluster.yarn.apps.count | Indicates the number of active YARN applications. | long | +| gcp.dataproc.cluster.yarn.containers.count | Indicates the number of YARN containers. | long | +| gcp.dataproc.cluster.yarn.memory_size.value | Indicates the YARN memory size in GB. | double | +| gcp.dataproc.cluster.yarn.nodemanagers.count | Indicates the number of YARN NodeManagers running inside cluster. | long | +| gcp.dataproc.cluster.yarn.pending_memory_size.value | The current memory request, in GB, that is pending to be fulfilled by the scheduler. | double | +| gcp.dataproc.cluster.yarn.virtual_cores.count | Indicates the number of virtual cores in YARN. | long | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/dns.md b/packages/gcp/2.13.0/docs/dns.md new file mode 100755 index 0000000000..b346d9f751 --- /dev/null +++ b/packages/gcp/2.13.0/docs/dns.md @@ -0,0 +1,208 @@ +# DNS + +## Logs + +The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| gcp.dns.auth_answer | Authoritative answer. | boolean | +| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip | +| gcp.dns.egress_error | Egress proxy error. | keyword | +| gcp.dns.protocol | Protocol TCP or UDP. | keyword | +| gcp.dns.query_name | DNS query name. | keyword | +| gcp.dns.query_type | DNS query type. | keyword | +| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword | +| gcp.dns.response_code | Response code. | keyword | +| gcp.dns.server_latency | Server latency. | integer | +| gcp.dns.source_ip | Source IP address of the query. | ip | +| gcp.dns.source_network | Source network of the query. | keyword | +| gcp.dns.source_type | Type of source generating the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | +| gcp.dns.target_type | Type of target resolving the DNS query: private-zone, public-zone, forwarding-zone, forwarding-policy, peering-zone, internal, external, internet | keyword | +| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword | +| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `dns` looks as following: + +```json +{ + "@timestamp": "2021-12-12T15:59:40.446Z", + "agent": { + "ephemeral_id": "87190725-9632-41a5-ba26-ebffca397d74", + "id": "0168f0f0-b64d-4a7a-ba00-c309f9e7f0ca", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "cloud": { + "project": { + "id": "key-reference-123456" + }, + "provider": "gcp", + "region": "global" + }, + "data_stream": { + "dataset": "gcp.dns", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "216.239.32.106", + "ip": "216.239.32.106" + }, + "dns": { + "answers": [ + { + "class": "IN", + "data": "67.43.156.13", + "name": "asdf.gcp.example.com.", + "ttl": 300, + "type": "A" + } + ], + "question": { + "name": "asdf.gcp.example.com", + "registered_domain": "example.com", + "subdomain": "asdf.gcp", + "top_level_domain": "com", + "type": "A" + }, + "resolved_ip": [ + "67.43.156.13" + ], + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "0168f0f0-b64d-4a7a-ba00-c309f9e7f0ca", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "dns-query", + "agent_id_status": "verified", + "category": "network", + "created": "2022-10-03T22:33:56.157Z", + "dataset": "gcp.dns", + "id": "zir4wud11tm", + "ingested": "2022-10-03T22:33:57Z", + "kind": "event", + "outcome": "success" + }, + "gcp": { + "dns": { + "auth_answer": true, + "destination_ip": "216.239.32.106", + "protocol": "UDP", + "query_name": "asdf.gcp.example.com.", + "query_type": "A", + "response_code": "NOERROR", + "server_latency": 0, + "source_type": "internet", + "target_type": "public-zone" + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/key-reference-123456/logs/dns.googleapis.com%2Fdns_queries" + }, + "network": { + "iana_number": "17", + "protocol": "dns", + "transport": "udp" + }, + "related": { + "hosts": [ + "asdf.gcp.example.com" + ], + "ip": [ + "67.43.156.13", + "216.239.32.106" + ] + }, + "tags": [ + "forwarded", + "gcp-dns" + ] +} +``` \ No newline at end of file diff --git a/packages/gcp/2.13.0/docs/firestore.md b/packages/gcp/2.13.0/docs/firestore.md new file mode 100755 index 0000000000..2b8c97370e --- /dev/null +++ b/packages/gcp/2.13.0/docs/firestore.md @@ -0,0 +1,127 @@ +# Firestore + +## Metrics + +The `firestore` dataset fetches metrics from [Firestore](https://cloud.google.com/firestore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Firestore Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-firestore). + +You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. + +## Sample Event + +An example event for `firestore` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.firestore", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "firestore": { + "document": { + "delete": { + "count": 3 + }, + "read": { + "count": 10 + }, + "write": { + "count": 1 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "firestore", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.firestore.document.delete.count | The number of successful document deletes. | long | +| gcp.firestore.document.read.count | The number of successful document reads from queries or lookups. | long | +| gcp.firestore.document.write.count | The number of successful document writes. | long | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/firewall.md b/packages/gcp/2.13.0/docs/firewall.md new file mode 100755 index 0000000000..48e690fcf4 --- /dev/null +++ b/packages/gcp/2.13.0/docs/firewall.md @@ -0,0 +1,252 @@ +# Firewall + +## Logs + +The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword | +| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword | +| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword | +| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array | +| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long | +| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword | +| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword | +| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `firewall` looks as following: + +```json +{ + "@timestamp": "2019-10-30T13:52:42.191Z", + "agent": { + "ephemeral_id": "da5a2e43-d26c-4ee3-bbf3-ad9d9ab853ec", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "test-beats" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.firewall", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.42.0.2", + "domain": "test-windows", + "ip": "10.42.0.2", + "port": 3389 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "action": "firewall-rule", + "agent_id_status": "verified", + "category": "network", + "created": "2022-06-28T02:47:26.097Z", + "dataset": "gcp.firewall", + "id": "1f21ciqfpfssuo", + "ingested": "2022-06-28T02:47:27Z", + "kind": "event", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "test-beats", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "test-beats", + "subnetwork_name": "windows-isolated", + "vpc_name": "windows-isolated" + } + }, + "firewall": { + "rule_details": { + "action": "ALLOW", + "direction": "INGRESS", + "ip_port_info": [ + { + "ip_protocol": "TCP", + "port_range": [ + "3389" + ] + } + ], + "priority": 1000, + "source_range": [ + "0.0.0.0/0" + ], + "target_tag": [ + "allow-rdp" + ] + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall" + }, + "network": { + "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=", + "direction": "inbound", + "iana_number": "6", + "name": "windows-isolated", + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "192.168.2.126", + "10.42.0.2" + ] + }, + "rule": { + "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp" + }, + "source": { + "address": "192.168.2.126", + "geo": { + "continent_name": "Asia", + "country_name": "omn" + }, + "ip": "192.168.2.126", + "port": 64853 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ] +} +``` \ No newline at end of file diff --git a/packages/gcp/2.13.0/docs/gke.md b/packages/gcp/2.13.0/docs/gke.md new file mode 100755 index 0000000000..58c31a0c39 --- /dev/null +++ b/packages/gcp/2.13.0/docs/gke.md @@ -0,0 +1,160 @@ +# GKE + +## Metrics + +The `gke` dataset fetches metrics from [GKE](https://cloud.google.com/kubernetes-engine) in Google Cloud Platform. It contains all GA metrics exported from the [GCP GKE Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-container). + +You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP GKE does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all regions. + +## Sample Event + +An example event for `gke` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.gke", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "gke": { + "container": { + "cpu": { + "core_usage_time": { + "sec": 15 + } + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "gke", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.gke.container.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the container in seconds. Sampled every 60 seconds. | double | +| gcp.gke.container.cpu.limit_cores.value | CPU cores limit of the container. Sampled every 60 seconds. | double | +| gcp.gke.container.cpu.limit_utilization.pct | The fraction of the CPU limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | +| gcp.gke.container.cpu.request_cores.value | Number of CPU cores requested by the container. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | +| gcp.gke.container.cpu.request_utilization.pct | The fraction of the requested CPU that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | +| gcp.gke.container.ephemeral_storage.limit.bytes | Local ephemeral storage limit in bytes. Sampled every 60 seconds. | long | +| gcp.gke.container.ephemeral_storage.request.bytes | Local ephemeral storage request in bytes. Sampled every 60 seconds. | long | +| gcp.gke.container.ephemeral_storage.used.bytes | Local ephemeral storage usage in bytes. Sampled every 60 seconds. | long | +| gcp.gke.container.memory.limit.bytes | Memory limit of the container in bytes. Sampled every 60 seconds. | long | +| gcp.gke.container.memory.limit_utilization.pct | The fraction of the memory limit that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed the limit. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | +| gcp.gke.container.memory.page_fault.count | Number of page faults, broken down by type, major and minor. | long | +| gcp.gke.container.memory.request.bytes | Memory request of the container in bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | +| gcp.gke.container.memory.request_utilization.pct | The fraction of the requested memory that is currently in use on the instance. This value can be greater than 1 as usage can exceed the request. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | +| gcp.gke.container.memory.used.bytes | Memory usage in bytes. Sampled every 60 seconds. | long | +| gcp.gke.container.restart.count | Number of times the container has restarted. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | +| gcp.gke.container.uptime.sec | Time in seconds that the container has been running. Sampled every 60 seconds. | double | +| gcp.gke.node.cpu.allocatable_cores.value | Number of allocatable CPU cores on the node. Sampled every 60 seconds. | double | +| gcp.gke.node.cpu.allocatable_utilization.pct | The fraction of the allocatable CPU that is currently in use on the instance. Sampled every 60 seconds. After sampling, data is not visible for up to 240 seconds. | double | +| gcp.gke.node.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used on the node in seconds. Sampled every 60 seconds. | double | +| gcp.gke.node.cpu.total_cores.value | Total number of CPU cores on the node. Sampled every 60 seconds. | double | +| gcp.gke.node.ephemeral_storage.allocatable.bytes | Local ephemeral storage bytes allocatable on the node. Sampled every 60 seconds. | long | +| gcp.gke.node.ephemeral_storage.inodes_free.value | Free number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | +| gcp.gke.node.ephemeral_storage.inodes_total.value | Total number of inodes on local ephemeral storage. Sampled every 60 seconds. | long | +| gcp.gke.node.ephemeral_storage.total.bytes | Total ephemeral storage bytes on the node. Sampled every 60 seconds. | long | +| gcp.gke.node.ephemeral_storage.used.bytes | Local ephemeral storage bytes used by the node. Sampled every 60 seconds. | long | +| gcp.gke.node.memory.allocatable.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | +| gcp.gke.node.memory.allocatable_utilization.pct | The fraction of the allocatable memory that is currently in use on the instance. This value cannot exceed 1 as usage cannot exceed allocatable memory bytes. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | +| gcp.gke.node.memory.total.bytes | Number of bytes of memory allocatable on the node. Sampled every 60 seconds. | long | +| gcp.gke.node.memory.used.bytes | Cumulative memory bytes used by the node. Sampled every 60 seconds. | long | +| gcp.gke.node.network.received_bytes.count | Cumulative number of bytes received by the node over the network. Sampled every 60 seconds. | long | +| gcp.gke.node.network.sent_bytes.count | Cumulative number of bytes transmitted by the node over the network. Sampled every 60 seconds. | long | +| gcp.gke.node.pid_limit.value | The max PID of OS on the node. Sampled every 60 seconds. | long | +| gcp.gke.node.pid_used.value | The number of running process in the OS on the node. Sampled every 60 seconds. | long | +| gcp.gke.node_daemon.cpu.core_usage_time.sec | Cumulative CPU usage on all cores used by the node level system daemon in seconds. Sampled every 60 seconds. | double | +| gcp.gke.node_daemon.memory.used.bytes | Memory usage by the system daemon in bytes. Sampled every 60 seconds. | long | +| gcp.gke.pod.network.received.bytes | Cumulative number of bytes received by the pod over the network. Sampled every 60 seconds. | long | +| gcp.gke.pod.network.sent.bytes | Cumulative number of bytes transmitted by the pod over the network. Sampled every 60 seconds. | long | +| gcp.gke.pod.volume.total.bytes | Total number of disk bytes available to the pod. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | long | +| gcp.gke.pod.volume.used.bytes | Number of disk bytes used by the pod. Sampled every 60 seconds. | long | +| gcp.gke.pod.volume.utilization.pct | The fraction of the volume that is currently being used by the instance. This value cannot be greater than 1 as usage cannot exceed the total available volume space. Sampled every 60 seconds. After sampling, data is not visible for up to 120 seconds. | double | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/loadbalancing.md b/packages/gcp/2.13.0/docs/loadbalancing.md new file mode 100755 index 0000000000..b7f53f6ca7 --- /dev/null +++ b/packages/gcp/2.13.0/docs/loadbalancing.md @@ -0,0 +1,397 @@ +# Load Balancing + +## Logs + +The `loadbalancing_logs` dataset collects logs of the requests sent to and handled by GCP Load Balancers. + +An example event for `loadbalancing` looks as following: + +```json +{ + "@timestamp": "2020-06-08T23:41:30.078Z", + "agent": { + "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4", + "hostname": "docker-fleet-agent", + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cloud": { + "project": { + "id": "PROJECT_ID" + }, + "region": "global" + }, + "data_stream": { + "dataset": "gcp.loadbalancing_logs", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "81.2.69.193", + "ip": "81.2.69.193", + "nat": { + "ip": "10.5.3.1", + "port": 9090 + }, + "port": 8080 + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "df142714-8028-4ef0-a80c-4eb03051c084", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "category": "network", + "created": "2020-06-08T23:41:30.588Z", + "id": "1oek5rg3l3fxj7", + "kind": "event", + "original": "{\"insertId\":\"1oek5rg3l3fxj7\",\"jsonPayload\":{\"@type\":\"type.googleapis.com/google.cloud.loadbalancin,g.type.LoadBalancerLogEntry\",\"cacheId\":\"SFO-fbae48ad\",\"statusDetails\":\"response_from_cache\"},\"httpRequest\":{\"requestMethod\":\"GET\",\"requestUrl\":\"http://81.2.69.193:8080/static/us/three-cats.jpg\",\"requestSize\":\"577\",\"status\":304,\"responseSize\":\"157\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36\",\"remoteIp\":\"89.160.20.156:9989\",\"cacheHit\":true,\"cacheLookup\":true,\"serverIp\":\"10.5.3.1:9090\",\"protocol\":\"HTTP/2.0\",\"referer\":\"https://developer.mozilla.org/en-US/docs/Web/JavaScript\"},\"resource\":{\"type\":\"http_load_balancer\",\"labels\":{\"zone\":\"global\",\"url_map_name\":\"URL_MAP_NAME\",\"forwarding_rule_name\":\"FORWARDING_RULE_NAME\",\"target_proxy_name\":\"TARGET_PROXY_NAME\",\"backend_service_name\":\"\",\"project_id\":\"PROJECT_ID\"}},\"timestamp\":\"2020-06-08T23:41:30.078651Z\",\"severity\":\"INFO\",\"logName\":\"projects/PROJECT_ID/logs/requests\",\"trace\":\"projects/PROJECT_ID/traces/241d69833e64b3bf83fabac8c873d992\",\"receiveTimestamp\":\"2020-06-08T23:41:30.588272510Z\",\"spanId\":\"7b6537d3672e08e1\"}", + "type": "info" + }, + "gcp": { + "load_balancer": { + "backend_service_name": "", + "cache_hit": true, + "cache_id": "SFO-fbae48ad", + "cache_lookup": true, + "forwarding_rule_name": "FORWARDING_RULE_NAME", + "status_details": "response_from_cache", + "target_proxy_name": "TARGET_PROXY_NAME", + "url_map_name": "URL_MAP_NAME" + } + }, + "http": { + "request": { + "bytes": 577, + "method": "GET", + "referrer": "https://developer.mozilla.org/en-US/docs/Web/JavaScript" + }, + "response": { + "bytes": 157, + "status_code": 304 + }, + "version": "2.0" + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "level": "INFO", + "logger": "projects/PROJECT_ID/logs/requests" + }, + "network": { + "protocol": "http" + }, + "related": { + "ip": [ + "89.160.20.156", + "81.2.69.193", + "10.5.3.1" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 9989 + }, + "tags": [ + "forwarded", + "gcp-firewall" + ], + "url": { + "domain": "81.2.69.193", + "extension": "jpg", + "original": "http://81.2.69.193:8080/static/us/three-cats.jpg", + "path": "/static/us/three-cats.jpg", + "port": 8080, + "scheme": "http" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", + "os": { + "full": "Mac OS X 10.14.6", + "name": "Mac OS X", + "version": "10.14.6" + }, + "version": "83.0.4103.61" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.load_balancer.backend_service_name | The backend service to which the load balancer is sending traffic | keyword | +| gcp.load_balancer.cache_hit | Whether or not an entity was served from cache (with or without validation). | boolean | +| gcp.load_balancer.cache_id | Indicates the location and cache instance that the cache response was served from. For example, a cache response served from a cache in Amsterdam would have a cacheId value of AMS-85e2bd4b, where AMS is the IATA code, and 85e2bd4b is an opaque identifier of the cache instance (because some Cloud CDN locations have multiple discrete caches). | keyword | +| gcp.load_balancer.cache_lookup | Whether or not a cache lookup was attempted. | boolean | +| gcp.load_balancer.forwarding_rule_name | The name of the forwarding rule | keyword | +| gcp.load_balancer.status_details | Explains why the load balancer returned the HTTP status that it did. See https://cloud.google.com/cdn/docs/cdn-logging-monitoring#statusdetail_http_success_messages for specific messages. | keyword | +| gcp.load_balancer.target_proxy_name | The target proxy name | keyword | +| gcp.load_balancer.url_map_name | The URL map name | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Input type | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +## Metrics + +The `loadbalancing_metrics` dataset fetches HTTPS, HTTP, and Layer 3 metrics from [Load Balancing](https://cloud.google.com/load-balancing/) in Google Cloud Platform. It contains all metrics exported from the [GCP Load Balancing Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-loadbalancing). + +An example event for `loadbalancing` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-observability" + }, + "provider": "gcp", + "region": "us-central1", + "availability_zone": "us-central1-a" + }, + "event": { + "dataset": "gcp.loadbalancing_metrics", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "labels": { + "metrics": { + "client_network": "ocp-be-c5kjr-network", + "client_subnetwork": "ocp-be-c5kjr-worker-subnet", + "client_zone": "us-central1-a" + }, + "resource": { + "backend_name": "ocp-be-c5kjr-master-us-central1-a", + "backend_scope": "us-central1-a", + "backend_scope_type": "ZONE", + "backend_subnetwork_name": "ocp-be-c5kjr-master-subnet", + "backend_target_name": "ocp-be-c5kjr-api-internal", + "backend_target_type": "BACKEND_SERVICE", + "backend_type": "INSTANCE_GROUP", + "forwarding_rule_name": "ocp-be-c5kjr-api-internal", + "load_balancer_name": "ocp-be-c5kjr-api-internal", + "network_name": "ocp-be-c5kjr-network", + "region": "us-central1" + } + }, + "loadbalancing": { + "l3": { + "internal": { + "egress_packets": { + "count": 100 + }, + "egress": { + "bytes": 1247589 + } + } + } + } + }, + "metricset": { + "name": "loadbalancing", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.loadbalancing.https.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | +| gcp.loadbalancing.https.backend_request.bytes | The number of bytes sent as requests from HTTP/S load balancer to backends. | long | +| gcp.loadbalancing.https.backend_request.count | The number of requests served by backends of HTTP/S load balancer. | long | +| gcp.loadbalancing.https.backend_response.bytes | The number of bytes sent as responses from backends (or cache) to external HTTP(S) load balancer. | long | +| gcp.loadbalancing.https.external.regional.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the proxy to the backend until the proxy received from the backend the last byte of response. | object | +| gcp.loadbalancing.https.external.regional.total_latencies.value | A distribution of the latency calculated from when the request was received by the proxy until the proxy got ACK from client on last response byte. | object | +| gcp.loadbalancing.https.frontend_tcp_rtt.value | A distribution of the RTT measured for each connection between client and proxy. | object | +| gcp.loadbalancing.https.internal.backend_latencies.value | A distribution of the latency calculated from when the request was sent by the internal HTTP/S load balancer proxy to the backend until the proxy received from the backend the last byte of response. | object | +| gcp.loadbalancing.https.internal.total_latencies.value | A distribution of the latency calculated from when the request was received by the internal HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | +| gcp.loadbalancing.https.request.bytes | The number of bytes sent as requests from clients to HTTP/S load balancer. | long | +| gcp.loadbalancing.https.request.count | The number of requests served by HTTP/S load balancer. | long | +| gcp.loadbalancing.https.response.bytes | The number of bytes sent as responses from HTTP/S load balancer to clients. | long | +| gcp.loadbalancing.https.total_latencies.value | A distribution of the latency calculated from when the request was received by the external HTTP/S load balancer proxy until the proxy got ACK from client on last response byte. | object | +| gcp.loadbalancing.l3.external.egress.bytes | The number of bytes sent from external TCP/UDP network load balancer backend to client of the flow. For TCP flows it's counting bytes on application stream only. | long | +| gcp.loadbalancing.l3.external.egress_packets.count | The number of packets sent from external TCP/UDP network load balancer backend to client of the flow. | long | +| gcp.loadbalancing.l3.external.ingress.bytes | The number of bytes sent from client to external TCP/UDP network load balancer backend. For TCP flows it's counting bytes on application stream only. | long | +| gcp.loadbalancing.l3.external.ingress_packets.count | The number of packets sent from client to external TCP/UDP network load balancer backend. | long | +| gcp.loadbalancing.l3.external.rtt_latencies.value | A distribution of the round trip time latency, measured over TCP connections for the external network load balancer. | object | +| gcp.loadbalancing.l3.internal.egress.bytes | The number of bytes sent from ILB backend to client (for TCP flows it's counting bytes on application stream only). | long | +| gcp.loadbalancing.l3.internal.egress_packets.count | The number of packets sent from ILB backend to client of the flow. | long | +| gcp.loadbalancing.l3.internal.ingress.bytes | The number of bytes sent from client to ILB backend (for TCP flows it's counting bytes on application stream only). | long | +| gcp.loadbalancing.l3.internal.ingress_packets.count | The number of packets sent from client to ILB backend. | long | +| gcp.loadbalancing.l3.internal.rtt_latencies.value | A distribution of RTT measured over TCP connections for internal TCP/UDP load balancer flows. | object | +| gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value | Number of connections that were terminated over TCP/SSL proxy. | long | +| gcp.loadbalancing.tcp_ssl_proxy.egress.bytes | Number of bytes sent from VM to client using proxy. | long | +| gcp.loadbalancing.tcp_ssl_proxy.frontend_tcp_rtt.value | A distribution of the smoothed RTT (in ms) measured by the proxy's TCP stack, each minute application layer bytes pass from proxy to client. | object | +| gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes | Number of bytes sent from client to VM using proxy. | long | +| gcp.loadbalancing.tcp_ssl_proxy.new_connections.value | Number of connections that were created over TCP/SSL proxy. | long | +| gcp.loadbalancing.tcp_ssl_proxy.open_connections.value | Current number of outstanding connections through the TCP/SSL proxy. | long | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/pubsub.md b/packages/gcp/2.13.0/docs/pubsub.md new file mode 100755 index 0000000000..ffce8028d9 --- /dev/null +++ b/packages/gcp/2.13.0/docs/pubsub.md @@ -0,0 +1,167 @@ +# PubSub + +## Metrics + +The `pubsub` dataset fetches metrics from [PubSub](https://cloud.google.com/pubsub/) in Google Cloud Platform. It contains all metrics exported from the [GCP PubSub Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-pubsub). + +You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP PubSub does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. + +## Sample Event + +An example event for `pubsub` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.pubsub", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "pubsub": { + "subscription": { + "backlog": { + "bytes": 0 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "pubsub", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| gcp.pubsub.snapshot.backlog.bytes | Total byte size of the messages retained in a snapshot. | long | +| gcp.pubsub.snapshot.backlog_bytes_by_region.bytes | Total byte size of the messages retained in a snapshot, broken down by Cloud region. | long | +| gcp.pubsub.snapshot.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | +| gcp.pubsub.snapshot.num_messages.value | Number of messages retained in a snapshot. | long | +| gcp.pubsub.snapshot.num_messages_by_region.value | Number of messages retained in a snapshot, broken down by Cloud region. | long | +| gcp.pubsub.snapshot.oldest_message_age.sec | Age (in seconds) of the oldest message retained in a snapshot. | long | +| gcp.pubsub.snapshot.oldest_message_age_by_region.sec | Age (in seconds) of the oldest message retained in a snapshot, broken down by Cloud region. | long | +| gcp.pubsub.subscription.ack_latencies.value | Distribution of ack latencies in milliseconds. The ack latency is the time between when Cloud Pub/Sub sends a message to a subscriber client and when Cloud Pub/Sub receives an Acknowledge request for that message. | object | +| gcp.pubsub.subscription.ack_message.count | Cumulative count of messages acknowledged by Acknowledge requests, grouped by delivery type. | long | +| gcp.pubsub.subscription.backlog.bytes | Total byte size of the unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | +| gcp.pubsub.subscription.byte_cost.bytes | Cumulative cost of operations, measured in bytes. This is used to measure quota utilization. | long | +| gcp.pubsub.subscription.config_updates.count | Cumulative count of configuration changes for each subscription, grouped by operation type and result. | long | +| gcp.pubsub.subscription.dead_letter_message.count | Cumulative count of messages published to dead letter topic, grouped by result. | long | +| gcp.pubsub.subscription.mod_ack_deadline_message.count | Cumulative count of messages whose deadline was updated by ModifyAckDeadline requests, grouped by delivery type. | long | +| gcp.pubsub.subscription.mod_ack_deadline_message_operation.count | Cumulative count of ModifyAckDeadline message operations, grouped by result. | long | +| gcp.pubsub.subscription.mod_ack_deadline_request.count | Cumulative count of ModifyAckDeadline requests, grouped by result. | long | +| gcp.pubsub.subscription.num_outstanding_messages.value | Number of messages delivered to a subscription's push endpoint, but not yet acknowledged. | long | +| gcp.pubsub.subscription.num_undelivered_messages.value | Number of unacknowledged messages (a.k.a. backlog messages) in a subscription. | long | +| gcp.pubsub.subscription.oldest_retained_acked_message_age.sec | Age (in seconds) of the oldest acknowledged message retained in a subscription. | long | +| gcp.pubsub.subscription.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a subscription, broken down by Cloud region. | long | +| gcp.pubsub.subscription.oldest_unacked_message_age.sec | Age (in seconds) of the oldest unacknowledged message (a.k.a. backlog message) in a subscription. | long | +| gcp.pubsub.subscription.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a subscription, broken down by Cloud region. | long | +| gcp.pubsub.subscription.pull_ack_message_operation.count | Cumulative count of acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | +| gcp.pubsub.subscription.pull_ack_request.count | Cumulative count of acknowledge requests, grouped by result. | long | +| gcp.pubsub.subscription.pull_message_operation.count | Cumulative count of pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | +| gcp.pubsub.subscription.pull_request.count | Cumulative count of pull requests, grouped by result. | long | +| gcp.pubsub.subscription.push_request.count | Cumulative count of push attempts, grouped by result. Unlike pulls, the push server implementation does not batch user messages. So each request only contains one user message. The push server retries on errors, so a given user message can appear multiple times. | long | +| gcp.pubsub.subscription.push_request_latencies.value | Distribution of push request latencies (in microseconds), grouped by result. | object | +| gcp.pubsub.subscription.retained_acked.bytes | Total byte size of the acknowledged messages retained in a subscription. | long | +| gcp.pubsub.subscription.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a subscription, broken down by Cloud region. | long | +| gcp.pubsub.subscription.seek_request.count | Cumulative count of seek attempts, grouped by result. | long | +| gcp.pubsub.subscription.sent_message.count | Cumulative count of messages sent by Cloud Pub/Sub to subscriber clients, grouped by delivery type. | long | +| gcp.pubsub.subscription.streaming_pull_ack_message_operation.count | Cumulative count of StreamingPull acknowledge message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | +| gcp.pubsub.subscription.streaming_pull_ack_request.count | Cumulative count of streaming pull requests with non-empty acknowledge ids, grouped by result. | long | +| gcp.pubsub.subscription.streaming_pull_message_operation.count | Cumulative count of streaming pull message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric \subscription/mod_ack_deadline_message_operation_count | long | +| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_message_operation.count | Cumulative count of StreamingPull ModifyAckDeadline operations, grouped by result. | long | +| gcp.pubsub.subscription.streaming_pull_mod_ack_deadline_request.count | Cumulative count of streaming pull requests with non-empty ModifyAckDeadline fields, grouped by result. | long | +| gcp.pubsub.subscription.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | +| gcp.pubsub.subscription.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a subscription, broken down by Cloud region. | long | +| gcp.pubsub.topic.byte_cost.bytes | Cost of operations, measured in bytes. This is used to measure utilization for quotas. | long | +| gcp.pubsub.topic.config_updates.count | Cumulative count of configuration changes, grouped by operation type and result. | long | +| gcp.pubsub.topic.message_sizes.bytes | Distribution of publish message sizes (in bytes) | object | +| gcp.pubsub.topic.oldest_retained_acked_message_age_by_region.value | Age (in seconds) of the oldest acknowledged message retained in a topic, broken down by Cloud region. | long | +| gcp.pubsub.topic.oldest_unacked_message_age_by_region.value | Age (in seconds) of the oldest unacknowledged message in a topic, broken down by Cloud region. | long | +| gcp.pubsub.topic.retained_acked_bytes_by_region.bytes | Total byte size of the acknowledged messages retained in a topic, broken down by Cloud region. | long | +| gcp.pubsub.topic.send_message_operation.count | Cumulative count of publish message operations, grouped by result. For a definition of message operations, see Cloud Pub/Sub metric subscription/mod_ack_deadline_message_operation_count. | long | +| gcp.pubsub.topic.send_request.count | Cumulative count of publish requests, grouped by result. | long | +| gcp.pubsub.topic.streaming_pull_response.count | Cumulative count of streaming pull responses, grouped by result. | long | +| gcp.pubsub.topic.unacked_bytes_by_region.bytes | Total byte size of the unacknowledged messages in a topic, broken down by Cloud region. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/redis.md b/packages/gcp/2.13.0/docs/redis.md new file mode 100755 index 0000000000..ef19574681 --- /dev/null +++ b/packages/gcp/2.13.0/docs/redis.md @@ -0,0 +1,147 @@ +# Redis + +## Metrics + +The `redis` dataset fetches metrics from [Redis](https://cloud.google.com/memorystore/) in Google Cloud Platform. It contains all metrics exported from the [GCP Redis Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-redis). + +## Sample Event + +An example event for `redis` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.redis", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "redis": { + "clients": { + "blocked": { + "count": 4 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "metrics", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | | +| error.message | Error message. | match_only_text | | | +| event.dataset | Event dataset | constant_keyword | | | +| event.module | Event module | constant_keyword | | | +| gcp.labels.metadata.\* | | object | | | +| gcp.labels.metrics.\* | | object | | | +| gcp.labels.resource.\* | | object | | | +| gcp.labels.system.\* | | object | | | +| gcp.labels.user.\* | | object | | | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | | | +| gcp.redis.clients.blocked.count | Number of blocked clients. | long | | gauge | +| gcp.redis.clients.connected.count | Number of client connections. | long | | gauge | +| gcp.redis.commands.calls.count | Total number of calls for this command in one minute. | long | | counter | +| gcp.redis.commands.total_time.us | The amount of time in microseconds that this command took in the last second. | long | micros | counter | +| gcp.redis.commands.usec_per_call.sec | Average time per call over 1 minute by command. | double | s | gauge | +| gcp.redis.keyspace.avg_ttl.sec | Average TTL for keys in this database. | double | s | gauge | +| gcp.redis.keyspace.keys.count | Number of keys stored in this database. | long | | gauge | +| gcp.redis.keyspace.keys_with_expiration.count | Number of keys with an expiration in this database. | long | | gauge | +| gcp.redis.persistence.rdb.bgsave_in_progress | Flag indicating a RDB save is on-going. | boolean | | gauge | +| gcp.redis.replication.master.slaves.lag.sec | The number of seconds that replica is lagging behind primary. | long | s | gauge | +| gcp.redis.replication.master.slaves.offset.bytes | The number of bytes that have been acknowledged by replicas. | long | byte | gauge | +| gcp.redis.replication.master_repl_offset.bytes | The number of bytes that master has produced and sent to replicas. | long | byte | gauge | +| gcp.redis.replication.offset_diff.bytes | The largest number of bytes that have not been replicated across all replicas. This is the biggest difference between replication byte offset (master) and replication byte offset (replica) of all replicas. | long | byte | gauge | +| gcp.redis.replication.role | Returns a value indicating the node role. 1 indicates primary and 0 indicates replica. | long | | gauge | +| gcp.redis.server.uptime.sec | Uptime in seconds. | long | s | gauge | +| gcp.redis.stats.cache_hit_ratio | Cache Hit ratio as a fraction. | double | | gauge | +| gcp.redis.stats.connections.total.count | Total number of connections accepted by the server. | long | | counter | +| gcp.redis.stats.cpu_utilization.sec | CPU-seconds consumed by the Redis server, broken down by system/user space and parent/child relationship. | double | s | gauge | +| gcp.redis.stats.evicted_keys.count | Number of evicted keys due to maxmemory limit. | long | | counter | +| gcp.redis.stats.expired_keys.count | Total number of key expiration events. | long | | counter | +| gcp.redis.stats.keyspace_hits.count | Number of successful lookup of keys in the main dictionary. | long | | counter | +| gcp.redis.stats.keyspace_misses.count | Number of failed lookup of keys in the main dictionary. | long | | counter | +| gcp.redis.stats.memory.maxmemory.mb | Maximum amount of memory Redis can consume. | long | m | gauge | +| gcp.redis.stats.memory.system_memory_overload_duration.us | The amount of time in microseconds the instance is in system memory overload mode. | long | micros | gauge | +| gcp.redis.stats.memory.system_memory_usage_ratio | Memory usage as a ratio of maximum system memory. | double | | gauge | +| gcp.redis.stats.memory.usage.bytes | Total number of bytes allocated by Redis. | long | byte | gauge | +| gcp.redis.stats.memory.usage_ratio | Memory usage as a ratio of maximum memory. | double | | gauge | +| gcp.redis.stats.network_traffic.bytes | Total number of bytes sent to/from redis (includes bytes from commands themselves, payload data, and delimiters). | long | byte | counter | +| gcp.redis.stats.pubsub.channels.count | Global number of pub/sub channels with client subscriptions. | long | | gauge | +| gcp.redis.stats.pubsub.patterns.count | Global number of pub/sub pattern with client subscriptions. | long | | gauge | +| gcp.redis.stats.reject_connections.count | Number of connections rejected because of maxclients limit. | long | | gauge | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | diff --git a/packages/gcp/2.13.0/docs/storage.md b/packages/gcp/2.13.0/docs/storage.md new file mode 100755 index 0000000000..fca7e1a230 --- /dev/null +++ b/packages/gcp/2.13.0/docs/storage.md @@ -0,0 +1,132 @@ +# Storage + +## Metrics + +The `storage` dataset fetches metrics from [Storage](https://cloud.google.com/storage/) in Google Cloud Platform. It contains all metrics exported from the [GCP Storage Monitoring API](https://cloud.google.com/monitoring/api/metrics_gcp#gcp-storage). + +You can specify a single region to fetch metrics like `us-central1`. Be aware that GCP Storage does not use zones so `us-central1-a` will return nothing. If no region is specified, it will return metrics from all buckets. + +## Sample Event + +An example event for `storage` looks as following: + +```json +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-obs-integrations-dev", + "name": "elastic-obs-integrations-dev" + }, + "instance": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "machine": { + "type": "e2-medium" + }, + "provider": "gcp", + "availability_zone": "us-central1-c", + "region": "us-central1" + }, + "event": { + "dataset": "gcp.storage", + "duration": 115000, + "module": "gcp" + }, + "gcp": { + "storage": { + "storage": { + "total": { + "bytes": 4472520191 + } + }, + "network": { + "received": { + "bytes": 4472520191 + } + } + }, + "labels": { + "user": { + "goog-gke-node": "" + } + } + }, + "host": { + "id": "4751091017865185079", + "name": "gke-cluster-1-default-pool-6617a8aa-5clh" + }, + "metricset": { + "name": "storage", + "period": 10000 + }, + "service": { + "type": "gcp" + } +} +``` + +## Exported fields + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.message | Error message. | match_only_text | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| gcp.labels.metadata.\* | | object | +| gcp.labels.metrics.\* | | object | +| gcp.labels.resource.\* | | object | +| gcp.labels.system.\* | | object | +| gcp.labels.user.\* | | object | +| gcp.metrics.\*.\*.\*.\* | Metrics that returned from Google Cloud API query. | object | +| gcp.storage.api.request.count | Delta count of API calls, grouped by the API method name and response code. | long | +| gcp.storage.authz.acl_based_object_access.count | Delta count of requests that result in an object being granted access solely due to object ACLs. | long | +| gcp.storage.authz.acl_operations.count | Usage of ACL operations broken down by type. | long | +| gcp.storage.authz.object_specific_acl_mutation.count | Delta count of changes made to object specific ACLs. | long | +| gcp.storage.network.received.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | +| gcp.storage.network.sent.bytes | Delta count of bytes sent over the network, grouped by the API method name and response code. | long | +| gcp.storage.storage.object.count | Total number of objects per bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | +| gcp.storage.storage.total.bytes | Total size of all objects in the bucket, grouped by storage class. This value is measured once per day, and the value is repeated at each sampling interval throughout the day. | long | +| gcp.storage.storage.total_byte_seconds.bytes | Delta count of bytes received over the network, grouped by the API method name and response code. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/gcp/2.13.0/docs/vpcflow.md b/packages/gcp/2.13.0/docs/vpcflow.md new file mode 100755 index 0000000000..65a292796a --- /dev/null +++ b/packages/gcp/2.13.0/docs/vpcflow.md @@ -0,0 +1,257 @@ +# VPC Flow + +## Logs + +The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.instance.region | Region of the VM. | keyword | +| gcp.destination.instance.zone | Zone of the VM. | keyword | +| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.source.instance.project_id | ID of the project containing the VM. | keyword | +| gcp.source.instance.region | Region of the VM. | keyword | +| gcp.source.instance.zone | Zone of the VM. | keyword | +| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword | +| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword | +| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword | +| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword | +| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | + + +An example event for `vpcflow` looks as following: + +```json +{ + "@timestamp": "2019-06-14T03:50:10.845Z", + "agent": { + "ephemeral_id": "cb760ad9-6bf9-465b-9022-e5de8df2ba82", + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.3" + }, + "cloud": { + "availability_zone": "us-east1-b", + "project": { + "id": "my-sample-project" + }, + "provider": "gcp", + "region": "us-east1" + }, + "data_stream": { + "dataset": "gcp.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "address": "10.139.99.242", + "domain": "elasticsearch", + "ip": "10.139.99.242", + "port": 9200 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "08bce509-f1bf-4b71-8b6b-b8965e7a733b", + "snapshot": false, + "version": "8.2.3" + }, + "event": { + "agent_id_status": "verified", + "category": "network", + "created": "2022-06-28T02:48:14.443Z", + "dataset": "gcp.vpcflow", + "end": "2019-06-14T03:49:51.821056075Z", + "id": "ut8lbrffooxz5", + "ingested": "2022-06-28T02:48:15Z", + "kind": "event", + "start": "2019-06-14T03:40:20.510622432Z", + "type": "connection" + }, + "gcp": { + "destination": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "source": { + "instance": { + "project_id": "my-sample-project", + "region": "us-east1", + "zone": "us-east1-b" + }, + "vpc": { + "project_id": "my-sample-project", + "subnetwork_name": "default", + "vpc_name": "default" + } + }, + "vpcflow": { + "reporter": "DEST", + "rtt": { + "ms": 201 + } + } + }, + "input": { + "type": "gcp-pubsub" + }, + "log": { + "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows" + }, + "network": { + "bytes": 11773, + "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=", + "direction": "internal", + "iana_number": "6", + "name": "default", + "packets": 94, + "transport": "tcp", + "type": "ipv4" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.139.99.242" + ] + }, + "source": { + "address": "67.43.156.13", + "as": { + "number": 35908 + }, + "bytes": 11773, + "domain": "kibana", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "packets": 94, + "port": 33576 + }, + "tags": [ + "forwarded", + "gcp-vpcflow" + ] +} +``` \ No newline at end of file diff --git a/packages/gcp/2.13.0/img/filebeat-gcp-audit.png b/packages/gcp/2.13.0/img/filebeat-gcp-audit.png new file mode 100755 index 0000000000..4f68932e9f Binary files /dev/null and b/packages/gcp/2.13.0/img/filebeat-gcp-audit.png differ diff --git a/packages/gcp/2.13.0/img/gcp-billing.png b/packages/gcp/2.13.0/img/gcp-billing.png new file mode 100755 index 0000000000..b697c285a1 Binary files /dev/null and b/packages/gcp/2.13.0/img/gcp-billing.png differ diff --git a/packages/gcp/2.13.0/img/gcp-compute.png b/packages/gcp/2.13.0/img/gcp-compute.png new file mode 100755 index 0000000000..d4d90d27ad Binary files /dev/null and b/packages/gcp/2.13.0/img/gcp-compute.png differ diff --git a/packages/gcp/2.13.0/img/logo_gcp.svg b/packages/gcp/2.13.0/img/logo_gcp.svg new file mode 100755 index 0000000000..75e139f9b2 --- /dev/null +++ b/packages/gcp/2.13.0/img/logo_gcp.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json new file mode 100755 index 0000000000..6e18c0f8a8 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "Overview of the audit log data from Google Cloud.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs GCP] Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3", + "type": "search" + }, + { + "id": "logs-*", + "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0", + "type": "search" + }, + { + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0", + "type": "search" + }, + { + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcxNCwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json new file mode 100755 index 0000000000..2558435148 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-6041d970-a6ae-11ea-950e-d57608e3aa51.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "description": "Overview of Google Cloud Load Balancing TCP SSL Proxy Metrics\n\n", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.proxy_continent\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Proxy Continent\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing TCP SSL Proxy Filters [Metrics GCP]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"02422b42-6d8c-4924-acc1-0d7f4fb9a1b1\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"drop_last_bucket\":1,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.open_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Open Connections [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"w\":13,\"x\":10,\"y\":0},\"panelIndex\":\"da16e443-8524-47ea-83e1-6a16250ed61c\",\"title\":\"Open Connections\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"drop_last_bucket\":1,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":1,\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.closed_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Closed Connections [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"w\":13,\"x\":23,\"y\":0},\"panelIndex\":\"305f8fc3-e763-4b2c-8998-9e0e057ce713\",\"title\":\"Closed Connections\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"drop_last_bucket\":1,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=15m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.new_connections.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy New Connections [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"e4fe30c7-906a-4878-bec7-7a78a06d98d0\",\"title\":\"New Connections\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Egress Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"w\":23,\"x\":0,\"y\":16},\"panelIndex\":\"c2bec6ee-96e8-440c-bfa4-6e0def7b0095\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"cd2ddc00-a6a9-11ea-9765-5f34a0c2e541\"}],\"bar_color_rules\":[{\"id\":\"d26268d0-a6a9-11ea-9765-5f34a0c2e541\"}],\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.tcp_ssl_proxy.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"kibana\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing TCP SSL Proxy Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":16,\"i\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"w\":25,\"x\":23,\"y\":16},\"panelIndex\":\"fbaeaa8f-262d-41b1-a621-d6dbff52ff59\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Metrics GCP] Load Balancing TCP SSL Proxy Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-6041d970-a6ae-11ea-950e-d57608e3aa51", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metrics-*", + "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "02422b42-6d8c-4924-acc1-0d7f4fb9a1b1:control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcxNSwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json new file mode 100755 index 0000000000..0ad4ca8ab9 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "description": "Overview of Google Cloud Billing Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"cloud.provider\",\"id\":\"1598550838945\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Cloud Provider \",\"options\":{\"dynamicOptions\":true,\"multiselect\":false,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"cloud.account.id\",\"id\":\"1598893530938\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Account ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"1598550838945\",\"type\":\"list\"},{\"fieldName\":\"gcp.billing.invoice_month\",\"id\":\"1598988595566\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Invoice Month\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Account ID Filter [Metrics GCP]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2552123b-6ad6-4d63-89c3-0672ab428580\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e12171da-25a4-41ea-86d3-8fd71205c263\":{\"columnOrder\":[\"6011e524-4646-410b-8d1c-06c281e8f7ed\",\"f8ab301c-f139-4573-b233-ed8a3f717e24\"],\"columns\":{\"6011e524-4646-410b-8d1c-06c281e8f7ed\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Invoice Month\",\"operationType\":\"terms\",\"params\":{\"orderBy\":{\"columnId\":\"f8ab301c-f139-4573-b233-ed8a3f717e24\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"size\":12},\"scale\":\"ordinal\",\"sourceField\":\"gcp.billing.invoice_month\"},\"f8ab301c-f139-4573-b233-ed8a3f717e24\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Billing Cost\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"gcp.billing.total\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"6011e524-4646-410b-8d1c-06c281e8f7ed\"},{\"columnId\":\"f8ab301c-f139-4573-b233-ed8a3f717e24\"}],\"layerId\":\"e12171da-25a4-41ea-86d3-8fd71205c263\",\"layerType\":\"data\"}},\"title\":\"Total Cost Table [Metrics GCP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"2d3d3b79-0656-45c2-b051-4489484b625c\",\"title\":\"Cost Per Month\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4ca843af-63d7-46b9-a719-51a81eebf1f7\":{\"columnOrder\":[\"2477291e-9021-4eb2-9fce-8da1ee792c49\",\"10b91492-efef-490d-bc7a-c2074b2eae84\"],\"columns\":{\"10b91492-efef-490d-bc7a-c2074b2eae84\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Maximum of gcp.billing.total\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"gcp.billing.total\"},\"2477291e-9021-4eb2-9fce-8da1ee792c49\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Cost Per Project ID\",\"operationType\":\"terms\",\"params\":{\"orderBy\":{\"columnId\":\"10b91492-efef-490d-bc7a-c2074b2eae84\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"gcp.billing.project_id\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"2477291e-9021-4eb2-9fce-8da1ee792c49\"],\"layerId\":\"4ca843af-63d7-46b9-a719-51a81eebf1f7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"10b91492-efef-490d-bc7a-c2074b2eae84\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Cost Per Project ID [Metrics GCP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"b737e597-cc4d-4437-859c-6d491679599d\",\"title\":\"Cost Per Project ID\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4cb00ce3-c62e-46f3-90ce-b69c876b9605\":{\"columnOrder\":[\"2f66b924-5392-4e5e-93fe-5b23a87068c1\"],\"columns\":{\"2f66b924-5392-4e5e-93fe-5b23a87068c1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"gcp.billing.project_id\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2f66b924-5392-4e5e-93fe-5b23a87068c1\",\"layerId\":\"4cb00ce3-c62e-46f3-90ce-b69c876b9605\",\"layerType\":\"data\"}},\"title\":\"Total Number Of Projects [Metrics GCP]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"w\":8,\"x\":0,\"y\":14},\"panelIndex\":\"9eedb0c7-2089-4e0f-af98-721034203aad\",\"title\":\"Total Number Of Projects\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4ca843af-63d7-46b9-a719-51a81eebf1f7\":{\"columnOrder\":[\"e25f49de-f161-4be8-a8fc-519188a7776c\",\"b92edf5e-58bc-4382-9cd5-19db2c332c93\",\"af747bf6-66e9-4760-bbd8-3dae9c97159d\"],\"columns\":{\"af747bf6-66e9-4760-bbd8-3dae9c97159d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Billing Cost\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"gcp.billing.total\"},\"b92edf5e-58bc-4382-9cd5-19db2c332c93\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Invoice Month\",\"operationType\":\"terms\",\"params\":{\"orderBy\":{\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.billing.invoice_month\"},\"e25f49de-f161-4be8-a8fc-519188a7776c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Monthly Cost\",\"operationType\":\"terms\",\"params\":{\"orderBy\":{\"columnId\":\"af747bf6-66e9-4760-bbd8-3dae9c97159d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"gcp.billing.project_id\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"fittingFunction\":\"None\",\"layers\":[{\"accessors\":[\"af747bf6-66e9-4760-bbd8-3dae9c97159d\"],\"layerId\":\"4ca843af-63d7-46b9-a719-51a81eebf1f7\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"splitAccessor\":\"b92edf5e-58bc-4382-9cd5-19db2c332c93\",\"xAccessor\":\"e25f49de-f161-4be8-a8fc-519188a7776c\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\"}},\"title\":\"Monthly Cost Per Project [Metrics GCP]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a\",\"title\":\"Cost Per Invoice Month\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c\",\"type\":\"index-pattern\"},{\"id\":\"metrics-*\",\"name\":\"indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"325e60ce-0fbd-42b0-82f6-b10df31fef6c\":{\"columnOrder\":[\"faaaaf23-f362-4a00-be9e-8a155208a39e\",\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\",\"3041fc1b-ceb8-4188-b55d-d354819f267e\"],\"columns\":{\"3041fc1b-ceb8-4188-b55d-d354819f267e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Billing\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"gcp.billing.total\"},\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"faaaaf23-f362-4a00-be9e-8a155208a39e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Project ID\",\"operationType\":\"terms\",\"params\":{\"orderBy\":{\"columnId\":\"3041fc1b-ceb8-4188-b55d-d354819f267e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"gcp.billing.project_id\"}}},\"4ca843af-63d7-46b9-a719-51a81eebf1f7\":{\"columnOrder\":[\"1164563d-d2b3-4067-bc7b-d694179182ed\",\"10b91492-efef-490d-bc7a-c2074b2eae84\"],\"columns\":{\"10b91492-efef-490d-bc7a-c2074b2eae84\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Billing Cost\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"gcp.billing.total\"},\"1164563d-d2b3-4067-bc7b-d694179182ed\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"1d\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"e25f49de-f161-4be8-a8fc-519188a7776c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Cost\",\"operationType\":\"terms\",\"params\":{\"orderBy\":{\"columnId\":\"10b91492-efef-490d-bc7a-c2074b2eae84\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"gcp.billing.project_id\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"fittingFunction\":\"None\",\"layers\":[{\"accessors\":[\"3041fc1b-ceb8-4188-b55d-d354819f267e\"],\"layerId\":\"325e60ce-0fbd-42b0-82f6-b10df31fef6c\",\"layerType\":\"data\",\"seriesType\":\"bar_stacked\",\"splitAccessor\":\"faaaaf23-f362-4a00-be9e-8a155208a39e\",\"xAccessor\":\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\"}},\"title\":\"Total Cost Bar Chart [Metrics GCP]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"991e60a8-68eb-4c2b-ac9a-b553e90dd49d\",\"title\":\"Total Billing Cost\",\"type\":\"lens\",\"version\":\"7.16.0\"}]", + "timeRestore": false, + "title": "[Metrics GCP] Billing Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-76c9e920-e890-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metrics-*", + "name": "2552123b-6ad6-4d63-89c3-0672ab428580:control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2552123b-6ad6-4d63-89c3-0672ab428580:control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2552123b-6ad6-4d63-89c3-0672ab428580:control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2d3d3b79-0656-45c2-b051-4489484b625c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2d3d3b79-0656-45c2-b051-4489484b625c:indexpattern-datasource-layer-e12171da-25a4-41ea-86d3-8fd71205c263", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b737e597-cc4d-4437-859c-6d491679599d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b737e597-cc4d-4437-859c-6d491679599d:indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9eedb0c7-2089-4e0f-af98-721034203aad:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9eedb0c7-2089-4e0f-af98-721034203aad:indexpattern-datasource-layer-4cb00ce3-c62e-46f3-90ce-b69c876b9605", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a:indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:indexpattern-datasource-layer-325e60ce-0fbd-42b0-82f6-b10df31fef6c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d:indexpattern-datasource-layer-4ca843af-63d7-46b9-a719-51a81eebf1f7", + "type": "index-pattern" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcxNiwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json new file mode 100755 index 0000000000..ee3cf263a3 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "description": "Overview of the firewall log data from Google Cloud.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs GCP] Firewall", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcxNywxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json new file mode 100755 index 0000000000..6a69dd3fe6 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "Overview of GCP Load Balancing L3 Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.backend_name\",\"id\":\"1588881306802\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Backend Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_zone\",\"id\":\"1588881320708\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Client Zone\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_network\",\"id\":\"1588881383318\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_subnetwork\",\"id\":\"1588881498842\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Client Sub-network\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing L3 Filters [Metrics GCP]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b86e712-4709-458a-b8e9-40e79305b1aa\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Packets [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"44d18a84-d060-4149-825d-eacc61f946f3\",\"title\":\"Egress Packets\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.egress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Egress Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"c38aeaae-69a7-4a6c-a35a-4bf5c8f70e86\",\"title\":\"Egress Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress_packets.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress_packets.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Packets [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"c5782327-dc55-466d-97d8-b79618f0b47a\",\"title\":\"Ingress Packets\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.l3.internal.ingress.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.l3.internal.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.backend_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing L3 Ingress Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"beaf5f45-5217-4aed-b663-69e5e9ca35c3\",\"title\":\"Ingress Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Metrics GCP] Load Balancing L3 Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-8f9c6cc0-909d-11ea-8180-7b0dacd9df87", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metrics-*", + "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b86e712-4709-458a-b8e9-40e79305b1aa:control_3_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcxOCwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json new file mode 100755 index 0000000000..a0b3b2e600 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "description": "Overview of the VPC flow log data from Google Cloud.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Logs GCP] VPC Flow", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "type": "tag" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcxOSwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json new file mode 100755 index 0000000000..bdc2b94f94 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "description": "Overview of GCP Load Balancing HTTPS Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"gcp.labels.resource.url_map_name\",\"id\":\"1588961027791\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"URL Map Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.resource.region\",\"id\":\"1588961077426\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Region\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"gcp.labels.metrics.client_country\",\"id\":\"1588961157559\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Client Country\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Load Balancing HTTPS Filters [Metrics GCP]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":6,\"i\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"f89112f9-0f3a-4712-a317-23230cd66213\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Count [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"w\":24,\"x\":24,\"y\":6},\"panelIndex\":\"8f4baaa9-6f4d-40fa-a77f-9f68f83a379c\",\"title\":\"Backend Request Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.count : * \"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.count\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Count [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"w\":24,\"x\":0,\"y\":6},\"panelIndex\":\"10490530-a766-4f87-824a-3fc18bf2e85b\",\"title\":\"Request Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_request.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Request Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"w\":24,\"x\":24,\"y\":21},\"panelIndex\":\"e737b020-eb94-4eb1-b53d-50fa551df648\",\"title\":\"Backend Request Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.request.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.request.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Request Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"w\":24,\"x\":0,\"y\":21},\"panelIndex\":\"b90db52e-982e-4360-b5ed-71147ba79246\",\"title\":\"Request Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.backend_response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.backend_response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Backend Response Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"a2a5c845-d426-425f-b2e6-e8df6038fd9d\",\"title\":\"Backend Response Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"1m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"filter\":{\"language\":\"kuery\",\"query\":\"gcp.loadbalancing.https.response.bytes : * \"},\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.loadbalancing.https.response.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"gcp.labels.resource.url_map_name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":null,\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Load Balancing HTTPS Response Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"2bf5bf09-e743-4c6d-8251-d12c9c70f273\",\"title\":\"Response Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Metrics GCP] Load Balancing HTTPS Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-aa5b8bd0-9157-11ea-8180-7b0dacd9df87", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metrics-*", + "name": "f89112f9-0f3a-4712-a317-23230cd66213:control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f89112f9-0f3a-4712-a317-23230cd66213:control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f89112f9-0f3a-4712-a317-23230cd66213:control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcyMCwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json b/packages/gcp/2.13.0/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json new file mode 100755 index 0000000000..384391484e --- /dev/null +++ b/packages/gcp/2.13.0/kibana/dashboard/gcp-f40ee870-5e4a-11ea-a4f6-717338406083.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "Overview of GCP Compute Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"28706ab2-1142-401d-9143-f4176a034c10\",\"panelRefName\":\"panel_28706ab2-1142-401d-9143-f4176a034c10\",\"title\":\"Filters\",\"type\":\"visualization\",\"version\":\"7.9.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"74a18260-63df-11ea-9543-55b68a4bcad3\"}],\"bar_color_rules\":[{\"id\":\"77a54c80-63df-11ea-9543-55b68a4bcad3\"}],\"drop_last_bucket\":0,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"gauge_color_rules\":[{\"id\":\"777371a0-63e0-11ea-9543-55b68a4bcad3\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"circle\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"\\u003e=5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"Average Uptime\",\"line_width\":1,\"metrics\":[{\"denominator\":\"60\",\"field\":\"gcp.compute.instance.uptime.sec\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"numerator\":\"gcp.compute.instance.uptime.sec\",\"type\":\"avg\",\"values\":[\"60\"]},{\"id\":\"81dc6000-63e7-11ea-994d-3b2599babc53\",\"script\":\"params.uptime / 60\\n\",\"type\":\"math\",\"variables\":[{\"field\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"id\":\"85f3bd00-63e7-11ea-994d-3b2599babc53\",\"name\":\"uptime\"}]}],\"override_index_pattern\":0,\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Compute Instance Uptime Gauge [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":17,\"i\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"w\":10,\"x\":7,\"y\":0},\"panelIndex\":\"2034fcc8-5cd7-4ee8-8c8f-99054f025b05\",\"title\":\"Instance Uptime\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"percent\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.cpu.usage.pct\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute CPU Utilization [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":17,\"i\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"5f6f2ecd-dcaf-4455-967c-ede6b38f431f\",\"title\":\"CPU Utilization\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.read_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Read I/O [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"9c6f36f5-c2b2-40f5-8ee3-af6131168842\",\"title\":\"Read I/O\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.disk.write_ops_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Write I/O [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"93906f63-42c9-4f30-9b2c-05041a9e1efe\",\"title\":\"Write I/O\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.egress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Sent Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"e1a4e862-dd00-409f-8746-8a8e4bc82807\",\"title\":\"Network Sent Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":0,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.instance.network.ingress.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Network Received Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce\",\"title\":\"Network Received Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"bytes\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped.bytes\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"3\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Bytes [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"w\":24,\"x\":0,\"y\":47},\"panelIndex\":\"00689e12-4cb3-49ad-ac33-dbe4279f446e\",\"title\":\"Firewall Dropped Bytes\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"background_color_rules\":[{\"id\":\"3ece14c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"bar_color_rules\":[{\"id\":\"3b9c35c0-5e4c-11ea-9061-37f24ca5b01f\"}],\"drop_last_bucket\":0,\"gauge_color_rules\":[{\"id\":\"3b27a200-5e4c-11ea-9061-37f24ca5b01f\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"metrics-*\",\"interval\":\"5m\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"label\":\"\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"gcp.compute.firewall.dropped_packets_count.value\",\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"avg\"}],\"point_size\":\"2\",\"separate_axis\":0,\"split_color_mode\":\"rainbow\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cloud.instance.name\",\"terms_order_by\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Compute Firewall Dropped Packets [Metrics GCP]\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"w\":24,\"x\":24,\"y\":47},\"panelIndex\":\"901e7bf5-35f5-4c1a-9627-27f6c20d2514\",\"title\":\"Firewall Dropped Packets\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", + "timeRestore": false, + "title": "[Metrics GCP] Compute Overview", + "version": 1 + }, + "coreMigrationVersion": "7.17.6", + "id": "gcp-f40ee870-5e4a-11ea-a4f6-717338406083", + "migrationVersion": { + "dashboard": "7.17.3" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "gcp-3aa96470-5fc4-11ea-a4f6-717338406083", + "name": "28706ab2-1142-401d-9143-f4176a034c10:panel_28706ab2-1142-401d-9143-f4176a034c10", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2022-09-14T09:47:20.533Z", + "version": "WzcyMSwxXQ==" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/2.13.0/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json new file mode 100755 index 0000000000..3e96491081 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "user.email", + "service.name", + "gcp.audit.type", + "event.action", + "event.outcome", + "source.ip", + "source.geo.region_name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [], + "title": "Audit [Logs GCP]", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/2.13.0/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json new file mode 100755 index 0000000000..5f9cb58c69 --- /dev/null +++ b/packages/gcp/2.13.0/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json @@ -0,0 +1,11 @@ +{ + "attributes": { + "color": "#6092C0", + "description": "All assets to monitor GCP", + "name": "GCP" + }, + "coreMigrationVersion": "7.17.0", + "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28", + "references": [], + "type": "tag" +} \ No newline at end of file diff --git a/packages/gcp/2.13.0/manifest.yml b/packages/gcp/2.13.0/manifest.yml new file mode 100755 index 0000000000..eecda9f04b --- /dev/null +++ b/packages/gcp/2.13.0/manifest.yml @@ -0,0 +1,213 @@ +name: gcp +title: Google Cloud Platform +version: "2.13.0" +release: ga +description: Collect logs from Google Cloud Platform with Elastic Agent. +type: integration +icons: + - src: /img/logo_gcp.svg + title: logo gcp + size: 32x32 + type: image/svg+xml +format_version: 1.0.0 +license: basic +categories: + - google_cloud + - cloud +conditions: + kibana.version: ^8.3.0 +screenshots: + - src: /img/filebeat-gcp-audit.png + title: filebeat gcp audit + size: 1702x996 + type: image/png + - src: /img/gcp-billing.png + title: GCP Billing Metrics Dashboard + size: 2000x1020 + type: image/png + - src: /img/gcp-compute.png + title: GCP Compute Metrics Dashboard + size: 2000x2021 + type: image/png +vars: + - name: project_id + type: text + title: Project Id + multi: false + required: true + show_user: true + default: SET_PROJECT_NAME + - name: credentials_file + type: text + title: Credentials File + multi: false + required: false + show_user: true + - name: credentials_json + type: text + title: Credentials Json + multi: false + required: false + show_user: true +policy_templates: + - name: audit + title: Google Cloud Platform (GCP) Audit logs + description: Collect audit logs from Google Cloud Platform (GCP) with Elastic Agent + categories: + - security + data_streams: + - audit + inputs: + - type: gcp-pubsub + title: "Collect Google Cloud Platform (GCP) audit logs (input: gcp-pubsub)" + description: "Collecting audit logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" + input_group: logs + screenshots: + - src: /img/filebeat-gcp-audit.png + title: filebeat gcp audit + size: 1702x996 + type: image/png + - name: firewall + title: Google Cloud Platform (GCP) Firewall logs + description: Collect firewall logs from Google Cloud Platform (GCP) with Elastic Agent + categories: + - network + - security + data_streams: + - firewall + inputs: + - type: gcp-pubsub + title: "Collect Google Cloud Platform (GCP) firewall logs (input: gcp-pubsub)" + description: "Collecting firewall logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" + input_group: logs + - name: vpcflow + title: Google Cloud Platform (GCP) VPC Flow logs + description: Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent + categories: + - network + - security + data_streams: + - vpcflow + inputs: + - type: gcp-pubsub + title: "Collect Google Cloud Platform (GCP) VPC Flow logs (input: gcp-pubsub)" + description: "Collecting vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" + input_group: logs + - name: dns + title: Google Cloud Platform (GCP) DNS logs + description: Collect DNS logs from Google Cloud Platform (GCP) with Elastic Agent + categories: + - network + - security + data_streams: + - dns + inputs: + - type: gcp-pubsub + title: "Collect Google Cloud Platform (GCP) DNS logs (input: gcp-pubsub)" + description: "Collecting DNS logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)" + input_group: logs + - name: billing + title: Google Cloud Platform (GCP) Billing metrics + description: Collect billing metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - billing + inputs: + - type: gcp/metrics + title: Collect GCP Billing Metrics + description: Collect GCP Billing Metrics + input_group: metrics + screenshots: + - src: /img/gcp-billing.png + title: GCP Billing Metrics Dashboard + size: 2000x1020 + type: image/png + - name: compute + title: Google Cloud Platform (GCP) Compute metrics + description: Collect compute metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - compute + inputs: + - type: gcp/metrics + title: Collect GCP Compute Metrics + description: Collect GCP Compute Metrics + input_group: metrics + screenshots: + - src: /img/gcp-compute.png + title: GCP Compute Metrics Dashboard + size: 2000x2021 + type: image/png + - name: firestore + title: Google Cloud Platform (GCP) Firestore metrics + description: Collect firestore metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - firestore + inputs: + - type: gcp/metrics + title: Collect GCP Firestore Metrics + description: Collect GCP Firestore Metrics + input_group: metrics + - name: loadbalancing + title: Google Cloud Platform (GCP) Load Balancing metrics + description: Collect Load Balancing metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - loadbalancing_metrics + - loadbalancing_logs + inputs: + - type: gcp/metrics + title: Collect GCP Load Balancing Metrics + description: Collect GCP Load Balancing Metrics + input_group: metrics + - type: gcp-pubsub + title: "Collect Google Cloud Platform (GCP) load balancing logs (input: gcp-pubsub)" + description: "Collecting load balancing logs from Google Cloud Platform (GCP) (input: gcp-pubsub)" + input_group: logs + - name: storage + title: Google Cloud Platform (GCP) Storage metrics + description: Collect storage metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - storage + inputs: + - type: gcp/metrics + title: Collect GCP Storage Metrics + description: Collect GCP Storage Metrics + input_group: metrics + - name: gke + title: Google Cloud Platform (GCP) GKE metrics + description: Collect gke metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - gke + inputs: + - type: gcp/metrics + title: Collect GCP GKE Metrics + description: Collect GCP GKE Metrics + input_group: metrics + - name: dataproc + title: Google Cloud Platform (GCP) Dataproc metrics + description: Collect dataproc metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - dataproc + inputs: + - type: gcp/metrics + title: Collect GCP Dataproc Metrics + description: Collect GCP Dataproc Metrics + input_group: metrics + - name: pubsub + title: Google Cloud Platform (GCP) PubSub metrics + description: Collect pubsub metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - pubsub + inputs: + - type: gcp/metrics + title: Collect GCP PubSub Metrics + description: Collect GCP PubSub Metrics + - name: redis + title: Google Cloud Platform (GCP) Redis metrics + description: Collect Redis metrics from Google Cloud Platform (GCP) with Elastic Agent + data_streams: + - redis + inputs: + - type: gcp/metrics + title: Collect GCP Redis Metrics + description: Collect GCP Redis Metrics +owner: + github: elastic/security-external-integrations diff --git a/packages/google_workspace/1.7.2/LICENSE.txt b/packages/google_workspace/1.7.2/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/google_workspace/1.7.2/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/google_workspace/1.7.2/changelog.yml b/packages/google_workspace/1.7.2/changelog.yml new file mode 100755 index 0000000000..c96049f2fd --- /dev/null +++ b/packages/google_workspace/1.7.2/changelog.yml @@ -0,0 +1,184 @@ +# newer versions go on top +- version: "1.7.2" + changes: + - description: Remove duplicate fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/4397 +- version: "1.7.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.7.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3865 +- version: "1.6.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "1.6.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.5.1" + changes: + - description: update readme + type: enhancement + link: https://github.com/elastic/integrations/pull/3107 +- version: "1.5.0" + changes: + - description: Allow to set credentials directly in the config. + type: enhancement + link: https://github.com/elastic/integrations/pull/3430 +- version: "1.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.3.4" + changes: + - description: Fix pagination to prevent skipped events when more than one page is present. + type: bugfix + link: https://github.com/elastic/integrations/pull/3140 +- version: "1.3.3" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.3.2" + changes: + - description: Add mapping for ECS event.created. + type: bugfix + link: https://github.com/elastic/integrations/pull/2862 +- version: "1.3.1" + changes: + - description: Remove redundant `event.ingested` from pipelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/2797 + - description: Validate IP fields and remove invalid data to prevent index mapping exceptions. + type: bugfix + link: https://github.com/elastic/integrations/pull/2801 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2408 +- version: "1.2.3" + changes: + - description: Fix admin pipeline parameter processing + type: bugfix + link: https://github.com/elastic/integrations/issues/2533 +- version: "1.2.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2256 +- version: "1.1.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2106 +- version: "1.1.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1966 +- version: "1.1.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1819 +- version: "1.1.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1634 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1719 +- version: "0.7.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1479 +- version: '0.7.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1386 +- version: "0.7.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1405 +- version: "0.7.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.6.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1263 +- version: "0.5.0" + changes: + - description: add system tests and remove log input + type: enhancement + link: https://github.com/elastic/integrations/pull/1130 +- version: "0.4.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1046 +- version: "0.3.1" + changes: + - description: add fingerprint processor to avoid duplicated events. + type: enhancement + link: https://github.com/elastic/integrations/pull/1019 +- version: "0.3.0" + changes: + - description: move edge processing to ingest pipelines + type: enhancement + link: https://github.com/elastic/integrations/pull/939 +- version: "0.2.4" + changes: + - description: add fail_on_template_error on pagination + type: bugfix + link: https://github.com/elastic/integrations/pull/900 +- version: "0.2.3" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/847 +- version: "0.2.2" + changes: + - description: fix status code parsing for saml datastream + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/809 +- version: "0.2.1" + changes: + - description: fixes date formatting for pagination + type: bugfix # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/795 +- version: "0.0.1" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/466 diff --git a/packages/google_workspace/1.7.2/data_stream/admin/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.7.2/data_stream/admin/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..86e50863da --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/admin +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: url.params.startTime + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +response.split: + target: body.items + split: + target: body.events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" + fail_on_template_error: true +cursor: + last_execution_datetime: + value: "[[formatDate now]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.7.2/data_stream/admin/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..4943fac9bf --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,790 @@ +--- +description: Pipeline for parsing google_workspace logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - append: + field: event.category + value: iam + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.id.time + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + - rename: + field: json.events.name + target_field: event.action + ignore_missing: true + - fingerprint: + description: Hashes the ID object and uses it as the document id to avoid duplicate events. + fields: + - json.id + target_field: _id + ignore_missing: true + ignore_failure: true + - rename: + field: json.id.applicationName + target_field: event.provider + ignore_missing: true + - rename: + field: json.id.uniqueQualifier + target_field: event.id + ignore_missing: true + - rename: + field: json.actor.email + target_field: source.user.email + ignore_missing: true + - rename: + field: json.actor.profileId + target_field: source.user.id + ignore_missing: true + - convert: + field: json.ipAddress + target_field: source.ip + type: ip + ignore_failure: true + - rename: + field: json.kind + target_field: google_workspace.kind + ignore_missing: true + - rename: + field: json.id.customerId + target_field: organization.id + ignore_missing: true + - rename: + field: json.actor.callerType + target_field: google_workspace.actor.type + ignore_missing: true + - rename: + field: json.actor.key + target_field: google_workspace.actor.key + ignore_missing: true + - rename: + field: json.ownerDomain + target_field: google_workspace.organization.domain + ignore_missing: true + - rename: + field: json.events.type + target_field: google_workspace.event.type + ignore_missing: true + - set: + field: user.id + copy_from: source.user.id + if: ctx?.source?.user?.id != null + - append: + field: event.category + value: configuration + if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING"].contains(ctx?.event?.action)' + - append: + field: event.type + value: change + if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","UPDATE_BUILDING","RENAME_CALENDAR_RESOURCE","UPDATE_CALENDAR_RESOURCE","CANCEL_CALENDAR_EVENTS","RELEASE_CALENDAR_RESOURCES","CHANGE_DEVICE_STATE","CHANGE_CHROME_OS_DEVICE_ANNOTATION","CHANGE_CHROME_OS_DEVICE_STATE","UPDATE_CHROME_OS_PRINT_SERVER","UPDATE_CHROME_OS_PRINTER","MOVE_DEVICE_TO_ORG_UNIT_DETAILED","UPDATE_DEVICE","SEND_CHROME_OS_DEVICE_COMMAND","ASSIGN_ROLE","ADD_PRIVILEGE","REMOVE_PRIVILEGE","RENAME_ROLE","UPDATE_ROLE","UNASSIGN_ROLE","TRANSFER_DOCUMENT_OWNERSHIP","ORG_USERS_LICENSE_ASSIGNMENT","ORG_ALL_USERS_LICENSE_ASSIGNMENT","USER_LICENSE_ASSIGNMENT","CHANGE_LICENSE_AUTO_ASSIGN","USER_LICENSE_REASSIGNMENT","ORG_LICENSE_REVOKE","USER_LICENSE_REVOKE","UPDATE_DYNAMIC_LICENSE","DROP_FROM_QUARANTINE","REJECT_FROM_QUARANTINE","RELEASE_FROM_QUARANTINE","CHROME_LICENSES_ENABLED","CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","ASSIGN_CUSTOM_LOGO","UNASSIGN_CUSTOM_LOGO","REVOKE_ENROLLMENT_TOKEN","CHROME_LICENSES_ALLOWED","EDIT_ORG_UNIT_DESCRIPTION","MOVE_ORG_UNIT","EDIT_ORG_UNIT_NAME","REVOKE_DEVICE_ENROLLMENT_TOKEN","TOGGLE_SERVICE_ENABLED","ADD_TO_TRUSTED_OAUTH2_APPS","REMOVE_FROM_TRUSTED_OAUTH2_APPS","BLOCK_ON_DEVICE_ACCESS","TOGGLE_CAA_ENABLEMENT","CHANGE_CAA_ERROR_MESSAGE","CHANGE_CAA_APP_ASSIGNMENTS","UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","TRUST_DOMAIN_OWNED_OAUTH2_APPS","UNBLOCK_ON_DEVICE_ACCESS","CHANGE_ACCOUNT_AUTO_RENEWAL","ADD_APPLICATION","ADD_APPLICATION_TO_WHITELIST","CHANGE_ADVERTISEMENT_OPTION","CHANGE_ALERT_CRITERIA","ALERT_RECEIVERS_CHANGED","RENAME_ALERT","ALERT_STATUS_CHANGED","ADD_DOMAIN_ALIAS","REMOVE_DOMAIN_ALIAS","AUTHORIZE_API_CLIENT_ACCESS","REMOVE_API_CLIENT_ACCESS","CHROME_LICENSES_REDEEMED","TOGGLE_AUTO_ADD_NEW_SERVICE","CHANGE_PRIMARY_DOMAIN","CHANGE_CONFLICT_ACCOUNT_ACTION","CHANGE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","CHANGE_DOMAIN_DEFAULT_LOCALE","CHANGE_DOMAIN_DEFAULT_TIMEZONE","CHANGE_DOMAIN_NAME","TOGGLE_ENABLE_PRE_RELEASE_FEATURES","CHANGE_DOMAIN_SUPPORT_MESSAGE","ADD_TRUSTED_DOMAINS","REMOVE_TRUSTED_DOMAINS","CHANGE_EDU_TYPE","CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","CHANGE_LOGIN_BACKGROUND_COLOR","CHANGE_LOGIN_BORDER_COLOR","CHANGE_LOGIN_ACTIVITY_TRACE","PLAY_FOR_WORK_ENROLL","PLAY_FOR_WORK_UNENROLL","UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","CHANGE_ORGANIZATION_NAME","CHANGE_PASSWORD_MAX_LENGTH","CHANGE_PASSWORD_MIN_LENGTH","REMOVE_APPLICATION","REMOVE_APPLICATION_FROM_WHITELIST","CHANGE_RENEW_DOMAIN_REGISTRATION","CHANGE_RESELLER_ACCESS","RULE_ACTIONS_CHANGED","CHANGE_RULE_CRITERIA","RENAME_RULE","RULE_STATUS_CHANGED","ADD_SECONDARY_DOMAIN","REMOVE_SECONDARY_DOMAIN","UPDATE_DOMAIN_SECONDARY_EMAIL","UPDATE_RULE","ADD_MOBILE_CERTIFICATE","COMPANY_OWNED_DEVICE_BLOCKED","COMPANY_OWNED_DEVICE_UNBLOCKED","COMPANY_OWNED_DEVICE_WIPED","CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","ADD_MOBILE_APPLICATION_TO_WHITELIST","CHANGE_ADMIN_RESTRICTIONS_PIN","CHANGE_MOBILE_WIRELESS_NETWORK","ADD_MOBILE_WIRELESS_NETWORK","REMOVE_MOBILE_WIRELESS_NETWORK","CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","REMOVE_MOBILE_CERTIFICATE","CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK"].contains(ctx?.event?.action)' + - append: + field: event.type + value: user + if: '["REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","DELETE_2SV_SCRATCH_CODES","DELETE_ACCOUNT_INFO_DUMP","DELETE_EMAIL_MONITOR","DELETE_MAILBOX_DUMP","DELETE_USER","MOBILE_DEVICE_DELETE","GENERATE_2SV_SCRATCH_CODES","CREATE_EMAIL_MONITOR","CREATE_DATA_TRANSFER_REQUEST","CREATE_USER","UNDELETE_USER","REQUEST_ACCOUNT_INFO","REQUEST_MAILBOX_DUMP","RESEND_USER_INVITE","BULK_UPLOAD_NOTIFICATION_SENT","USER_INVITE","VIEW_TEMP_PASSWORD","USERS_BULK_UPLOAD_NOTIFICATION_SENT","ACTION_CANCELLED","ACTION_REQUESTED"].contains(ctx?.event?.action)' + - append: + field: event.type + value: creation + if: '["CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","CREATE_MANAGED_CONFIGURATION","CREATE_BUILDING","CREATE_CALENDAR_RESOURCE","CREATE_CALENDAR_RESOURCE_FEATURE","MEET_INTEROP_CREATE_GATEWAY","INSERT_CHROME_OS_PRINT_SERVER","INSERT_CHROME_OS_PRINTER","CREATE_ROLE","ADD_WEB_ADDRESS","EMAIL_UNDELETE","CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","CREATE_DEVICE_ENROLLMENT_TOKEN","CREATE_ENROLLMENT_TOKEN","CREATE_ORG_UNIT","CREATE_ALERT","CREATE_PLAY_FOR_WORK_TOKEN","GENERATE_TRANSFER_TOKEN","REGENERATE_OAUTH_CONSUMER_SECRET","CREATE_RULE","GENERATE_PIN","COMPANY_DEVICES_BULK_CREATION","CREATE_GROUP","GENERATE_2SV_SCRATCH_CODES","CREATE_EMAIL_MONITOR","CREATE_DATA_TRANSFER_REQUEST","CREATE_USER","UNDELETE_USER"].contains(ctx?.event?.action)' + - append: + field: event.type + value: deletion + if: '["DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING","DELETE_MANAGED_CONFIGURATION","DELETE_BUILDING","DELETE_CALENDAR_RESOURCE","DELETE_CALENDAR_RESOURCE_FEATURE","MEET_INTEROP_DELETE_GATEWAY","DELETE_CHROME_OS_PRINT_SERVER","DELETE_CHROME_OS_PRINTER","REMOVE_CHROME_OS_APPLICATION_SETTINGS","DELETE_ROLE","DELETE_WEB_ADDRESS","CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","REMOVE_ORG_UNIT","DELETE_ALERT","DELETE_PLAY_FOR_WORK_TOKEN","DELETE_RULE","COMPANY_DEVICE_DELETION","DELETE_GROUP","DELETE_2SV_SCRATCH_CODES","DELETE_ACCOUNT_INFO_DUMP","DELETE_EMAIL_MONITOR","DELETE_MAILBOX_DUMP","DELETE_USER","MOBILE_DEVICE_DELETE"].contains(ctx?.event?.action)' + - append: + field: event.type + value: group + if: '["REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","GROUP_LIST_DOWNLOAD","GROUP_MEMBERS_DOWNLOAD"].contains(ctx?.event?.action)' + - append: + field: event.type + value: info + if: '["ISSUE_DEVICE_COMMAND","DRIVE_DATA_RESTORE","VIEW_SITE_DETAILS","EMAIL_LOG_SEARCH","SKIP_DOMAIN_ALIAS_MX","VERIFY_DOMAIN_ALIAS_MX","VERIFY_DOMAIN_ALIAS","VIEW_DNS_LOGIN_DETAILS","MX_RECORD_VERIFICATION_CLAIM","UPLOAD_OAUTH_CERTIFICATE","SKIP_SECONDARY_DOMAIN_MX","VERIFY_SECONDARY_DOMAIN_MX","VERIFY_SECONDARY_DOMAIN","BULK_UPLOAD","DOWNLOAD_PENDING_INVITES_LIST","DOWNLOAD_USERLIST_CSV","USERS_BULK_UPLOAD","ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT","USE_GOOGLE_MOBILE_MANAGEMENT","USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS","USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS","GROUP_LIST_DOWNLOAD","GROUP_MEMBERS_DOWNLOAD","REQUEST_ACCOUNT_INFO","REQUEST_MAILBOX_DUMP","RESEND_USER_INVITE","BULK_UPLOAD_NOTIFICATION_SENT","USER_INVITE","VIEW_TEMP_PASSWORD","USERS_BULK_UPLOAD_NOTIFICATION_SENT","ACTION_CANCELLED","ACTION_REQUESTED"].contains(ctx?.event?.action)' + - script: + lang: painless + if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' + source: > + if (ctx.google_workspace.admin == null) { + ctx.google_workspace.admin = new HashMap(); + } + for (int i = 0; i < ctx.json.events.parameters.length; ++i) { + if (ctx["json"]["events"]["parameters"][i]["value"] != null) { + ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; + } + if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { + ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { + ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; + } + } + - remove: + field: json.events.parameters + ignore_missing: true + - rename: + field: google_workspace.admin.APPLICATION_EDITION + target_field: google_workspace.admin.application.edition + ignore_missing: true + - rename: + field: google_workspace.admin.APPLICATION_NAME + target_field: google_workspace.admin.application.name + ignore_missing: true + - rename: + field: google_workspace.admin.APPLICATION_ENABLED + target_field: google_workspace.admin.application.enabled + ignore_missing: true + - rename: + field: google_workspace.admin.APP_LICENSES_ORDER_NUMBER + target_field: google_workspace.admin.application.licences_order_number + ignore_missing: true + - rename: + field: google_workspace.admin.CHROME_NUM_LICENSES_PURCHASED + target_field: google_workspace.admin.application.licences_purchased + ignore_missing: true + - rename: + field: google_workspace.admin.REAUTH_APPLICATION + target_field: google_workspace.admin.application.name + ignore_missing: true + - rename: + field: google_workspace.admin.GROUP_EMAIL + target_field: google_workspace.admin.group.email + ignore_missing: true + - rename: + field: google_workspace.admin.GROUP_NAME + target_field: group.name + ignore_missing: true + - rename: + field: google_workspace.admin.NEW_VALUE + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.OLD_VALUE + target_field: google_workspace.admin.old_value + ignore_missing: true + - rename: + field: google_workspace.admin.ORG_UNIT_NAME + target_field: google_workspace.admin.org_unit.name + ignore_missing: true + - rename: + field: google_workspace.admin.SETTING_NAME + target_field: google_workspace.admin.setting.name + ignore_missing: true + - rename: + field: google_workspace.admin.SETTING_DESCRIPTION + target_field: google_workspace.admin.setting.description + ignore_missing: true + - rename: + field: google_workspace.admin.USER_DEFINED_SETTING_NAME + target_field: google_workspace.admin.user_defined_setting.name + ignore_missing: true + - rename: + field: google_workspace.admin.GROUP_PRIORITIES + target_field: google_workspace.admin.group.priorities + ignore_missing: true + - rename: + field: google_workspace.admin.DOMAIN_NAME + target_field: google_workspace.admin.domain.name + ignore_missing: true + - rename: + field: google_workspace.admin.DOMAIN_ALIAS + target_field: google_workspace.admin.domain.alias + ignore_missing: true + - rename: + field: google_workspace.admin.SECONDARY_DOMAIN_NAME + target_field: google_workspace.admin.domain.secondary_name + ignore_missing: true + - rename: + field: google_workspace.admin.MANAGED_CONFIGURATION_NAME + target_field: google_workspace.admin.managed_configuration + ignore_missing: true + - rename: + field: google_workspace.admin.MOBILE_APP_PACKAGE_ID + target_field: google_workspace.admin.application.package_id + ignore_missing: true + - rename: + field: google_workspace.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION + target_field: google_workspace.admin.non_featured_services_selection + ignore_missing: true + - rename: + field: google_workspace.admin.FIELD_NAME + target_field: google_workspace.admin.field + ignore_missing: true + - rename: + field: google_workspace.admin.RESOURCE_IDENTIFIER + target_field: google_workspace.admin.resource.id + ignore_missing: true + - rename: + field: google_workspace.admin.USER_EMAIL + target_field: google_workspace.admin.user.email + ignore_missing: true + - rename: + field: google_workspace.admin.GATEWAY_NAME + target_field: google_workspace.admin.gateway.name + ignore_missing: true + - rename: + field: google_workspace.admin.APP_ID + target_field: google_workspace.admin.application.id + ignore_missing: true + - rename: + field: google_workspace.admin.ASP_ID + target_field: google_workspace.admin.application.asp_id + ignore_missing: true + - rename: + field: google_workspace.admin.CHROME_OS_SESSION_TYPE + target_field: google_workspace.admin.chrome_os.session_type + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_NEW_STATE + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_PREVIOUS_STATE + target_field: google_workspace.admin.old_value + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_SERIAL_NUMBER + target_field: google_workspace.admin.device.serial_number + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_ID + target_field: google_workspace.admin.device.id + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_TYPE + target_field: google_workspace.admin.device.type + ignore_missing: true + - rename: + field: google_workspace.admin.PRINT_SERVER_NAME + target_field: google_workspace.admin.print_server.name + ignore_missing: true + - rename: + field: google_workspace.admin.PRINTER_NAME + target_field: google_workspace.admin.printer.name + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_COMMAND_DETAILS + target_field: google_workspace.admin.device.command_details + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_NEW_ORG_UNIT + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.DEVICE_PREVIOUS_ORG_UNIT + target_field: google_workspace.admin.old_value + ignore_missing: true + - rename: + field: google_workspace.admin.ROLE_NAME + target_field: google_workspace.admin.role.name + ignore_missing: true + - rename: + field: google_workspace.admin.ROLE_ID + target_field: google_workspace.admin.role.id + ignore_missing: true + - rename: + field: google_workspace.admin.PRIVILEGE_NAME + target_field: google_workspace.admin.privilege.name + ignore_missing: true + - rename: + field: google_workspace.admin.SITE_LOCATION + target_field: url.path + ignore_missing: true + - rename: + field: google_workspace.admin.WEB_ADDRESS + target_field: url.full + ignore_missing: true + - uri_parts: + field: url.full + ignore_failure: true + if: ctx?.url?.full != null + - rename: + field: google_workspace.admin.SITE_NAME + target_field: google_workspace.admin.url.name + ignore_missing: true + - rename: + field: google_workspace.admin.SERVICE_NAME + target_field: google_workspace.admin.service.name + ignore_missing: true + - rename: + field: google_workspace.admin.PRODUCT_NAME + target_field: google_workspace.admin.product.name + ignore_missing: true + - rename: + field: google_workspace.admin.SKU_NAME + target_field: google_workspace.admin.product.sku + ignore_missing: true + - rename: + field: google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER + target_field: google_workspace.admin.bulk_upload.failed + ignore_missing: true + - rename: + field: google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER + target_field: google_workspace.admin.bulk_upload.total + ignore_missing: true + - rename: + field: google_workspace.admin.BULK_UPLOAD_FAIL_USERS_NUMBER + target_field: google_workspace.admin.bulk_upload.failed + ignore_missing: true + - rename: + field: google_workspace.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER + target_field: google_workspace.admin.bulk_upload.total + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_LOG_SEARCH_MSG_ID + target_field: google_workspace.admin.email.log_search_filter.message_id + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_LOG_SEARCH_RECIPIENT + target_field: google_workspace.admin.email.log_search_filter.recipient.value + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SENDER + target_field: google_workspace.admin.email.log_search_filter.sender.value + ignore_missing: true + - convert: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP + type: ip + ignore_missing: true + on_failure: + - remove: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP + - rename: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP + target_field: google_workspace.admin.email.log_search_filter.recipient.ip + ignore_missing: true + - convert: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP + type: ip + ignore_missing: true + on_failure: + - remove: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP + - rename: + field: google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP + target_field: google_workspace.admin.email.log_search_filter.sender.ip + ignore_missing: true + - rename: + field: google_workspace.admin.QUARANTINE_NAME + target_field: google_workspace.admin.email.quarantine_name + ignore_missing: true + - rename: + field: google_workspace.admin.CHROME_LICENSES_ENABLED + target_field: google_workspace.admin.chrome_licenses.enabled + ignore_missing: true + - rename: + field: google_workspace.admin.CHROME_LICENSES_ALLOWED + target_field: google_workspace.admin.chrome_licenses.allowed + ignore_missing: true + - rename: + field: google_workspace.admin.FULL_ORG_UNIT_PATH + target_field: google_workspace.admin.org_unit.full + ignore_missing: true + - rename: + field: google_workspace.admin.OAUTH2_SERVICE_NAME + target_field: google_workspace.admin.oauth2.service.name + ignore_missing: true + - rename: + field: google_workspace.admin.OAUTH2_APP_ID + target_field: google_workspace.admin.oauth2.application.id + ignore_missing: true + - rename: + field: google_workspace.admin.OAUTH2_APP_NAME + target_field: google_workspace.admin.oauth2.application.name + ignore_missing: true + - rename: + field: google_workspace.admin.OAUTH2_APP_TYPE + target_field: google_workspace.admin.oauth2.application.type + ignore_missing: true + - rename: + field: google_workspace.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD + target_field: google_workspace.admin.verification_method + ignore_missing: true + - rename: + field: google_workspace.admin.DOMAIN_VERIFICATION_METHOD + target_field: google_workspace.admin.verification_method + ignore_missing: true + - rename: + field: google_workspace.admin.CAA_ASSIGNMENTS_NEW + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.CAA_ASSIGNMENTS_OLD + target_field: google_workspace.admin.old_value + ignore_missing: true + - rename: + field: google_workspace.admin.REAUTH_SETTING_NEW + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.REAUTH_SETTING_OLD + target_field: google_workspace.admin.old_value + ignore_missing: true + - rename: + field: google_workspace.admin.ALERT_NAME + target_field: google_workspace.admin.alert.name + ignore_missing: true + - rename: + field: google_workspace.admin.API_CLIENT_NAME + target_field: google_workspace.admin.api.client.name + ignore_missing: true + - rename: + field: google_workspace.admin.API_SCOPES + target_field: google_workspace.admin.api.scopes + ignore_missing: true + - rename: + field: google_workspace.admin.PLAY_FOR_WORK_TOKEN_ID + target_field: google_workspace.admin.mdm.token + ignore_missing: true + - rename: + field: google_workspace.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME + target_field: google_workspace.admin.mdm.vendor + ignore_missing: true + - rename: + field: google_workspace.admin.INFO_TYPE + target_field: google_workspace.admin.info_type + ignore_missing: true + - rename: + field: google_workspace.admin.RULE_NAME + target_field: google_workspace.admin.rule.name + ignore_missing: true + - rename: + field: google_workspace.admin.USER_CUSTOM_FIELD + target_field: google_workspace.admin.setting.name + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_MONITOR_DEST_EMAIL + target_field: google_workspace.admin.email_monitor.dest_email + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_MONITOR_LEVEL_CHAT + target_field: google_workspace.admin.email_monitor.level.chat + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL + target_field: google_workspace.admin.email_monitor.level.draft + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL + target_field: google_workspace.admin.email_monitor.level.incoming + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL + target_field: google_workspace.admin.email_monitor.level.outgoing + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_EXPORT_INCLUDE_DELETED + target_field: google_workspace.admin.email_dump.include_deleted + ignore_missing: true + - rename: + field: google_workspace.admin.EMAIL_EXPORT_PACKAGE_CONTENT + target_field: google_workspace.admin.email_dump.package_content + ignore_missing: true + - rename: + field: google_workspace.admin.SEARCH_QUERY_FOR_DUMP + target_field: google_workspace.admin.email_dump.query + ignore_missing: true + - rename: + field: google_workspace.admin.DESTINATION_USER_EMAIL + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.REQUEST_ID + target_field: google_workspace.admin.request.id + ignore_missing: true + - rename: + field: google_workspace.admin.GMAIL_RESET_REASON + target_field: message + ignore_missing: true + - rename: + field: google_workspace.admin.USER_NICKNAME + target_field: google_workspace.admin.user.nickname + ignore_missing: true + - rename: + field: google_workspace.admin.ACTION_ID + target_field: google_workspace.admin.mobile.action.id + ignore_missing: true + - rename: + field: google_workspace.admin.ACTION_TYPE + target_field: google_workspace.admin.mobile.action.type + ignore_missing: true + - rename: + field: google_workspace.admin.MOBILE_CERTIFICATE_COMMON_NAME + target_field: google_workspace.admin.mobile.certificate.name + ignore_missing: true + - rename: + field: google_workspace.admin.NUMBER_OF_COMPANY_OWNED_DEVICES + target_field: google_workspace.admin.mobile.company_owned_devices + ignore_missing: true + - rename: + field: google_workspace.admin.COMPANY_DEVICE_ID + target_field: google_workspace.admin.device.id + ignore_missing: true + - rename: + field: google_workspace.admin.DISTRIBUTION_ENTITY_NAME + target_field: google_workspace.admin.distribution.entity.name + ignore_missing: true + - rename: + field: google_workspace.admin.DISTRIBUTION_ENTITY_TYPE + target_field: google_workspace.admin.distribution.entity.type + ignore_missing: true + - rename: + field: google_workspace.admin.MOBILE_APP_PACKAGE_ID + target_field: google_workspace.admin.application.package_id + ignore_missing: true + - rename: + field: google_workspace.admin.NEW_PERMISSION_GRANT_STATE + target_field: google_workspace.admin.new_value + ignore_missing: true + - rename: + field: google_workspace.admin.OLD_PERMISSION_GRANT_STATE + target_field: google_workspace.admin.old_value + ignore_missing: true + - rename: + field: google_workspace.admin.PERMISSION_GROUP_NAME + target_field: google_workspace.admin.setting.name + ignore_missing: true + - rename: + field: google_workspace.admin.MOBILE_WIRELESS_NETWORK_NAME + target_field: network.name + ignore_missing: true + - date: + field: google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE + target_field: google_workspace.admin.email.log_search_filter.end_date + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_END_DATE != null + - date: + field: google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE + target_field: google_workspace.admin.email.log_search_filter.start_date + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_START_DATE != null + - date: + field: google_workspace.admin.BIRTHDATE + target_field: google_workspace.admin.user.birthdate + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.BIRTHDATE != null + - date: + field: google_workspace.admin.BEGIN_DATE_TIME + target_field: event.start + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.BEGIN_DATE_TIME != null + - date: + field: google_workspace.admin.START_DATE + target_field: event.start + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.START_DATE != null + - date: + field: google_workspace.admin.END_DATE + target_field: event.end + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.END_DATE != null + - date: + field: google_workspace.admin.END_DATE_TIME + target_field: event.end + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx?.google_workspace?.admin?.END_DATE_TIME != null + - script: + lang: painless + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.user.name = splitmail[0]; + ctx.source.user.name = splitmail[0]; + ctx.user.domain = splitmail[1]; + ctx.source.user.domain = splitmail[1]; + - script: + lang: painless + if: 'ctx?.google_workspace?.admin?.group?.email != null && ctx?.google_workspace?.admin?.group?.email.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.admin.group.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.group == null) { + ctx.group = new HashMap(); + } + ctx.group.name = splitmail[0]; + ctx.group.domain = splitmail[1]; + - script: + lang: painless + if: 'ctx?.google_workspace?.admin?.user?.email != null && ctx?.google_workspace?.admin?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.admin.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.related == null) { + ctx.related = new HashMap(); + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.user.target == null) { + ctx.user.target = new HashMap(); + } + ctx.user.target.name = splitmail[0]; + ctx.user.target.domain = splitmail[1]; + ctx.user.target.email = ctx.google_workspace.admin.user.email; + - set: + field: user.target.group.name + copy_from: group.name + if: ctx?.group?.name != null + - set: + field: user.target.group.domain + copy_from: group.domain + if: ctx?.group?.domain != null + - script: + lang: painless + if: 'ctx?.event?.start != null && ctx?.event?.end != null' + source: >- + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + - convert: + field: google_workspace.admin.bulk_upload.total + type: long + ignore_missing: true + - convert: + field: google_workspace.admin.bulk_upload.failed + type: long + ignore_missing: true + - set: + field: event.outcome + value: success + if: 'ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != null && ctx?.google_workspace?.admin?.group?.bulk_upload?.failed == 0' + - set: + field: event.outcome + value: failure + if: 'ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != null && ctx?.google_workspace?.admin?.group?.bulk_upload?.failed != 0' + - split: + field: google_workspace.admin.WHITELISTED_GROUPS + target_field: google_workspace.admin.group.allowed_list + separator: ',' + ignore_missing: true + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null + allow_duplicates: false + - append: + field: related.user + value: "{{user.target.name}}" + if: ctx?.user?.target?.name != null + allow_duplicates: false + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - convert: + field: event.id + type: string + ignore_missing: true + - convert: + field: source.user.id + type: string + ignore_missing: true + - convert: + field: user.id + type: string + ignore_missing: true + - remove: + field: + - json + - google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE + - google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE + - google_workspace.admin.BIRTHDATE + - google_workspace.admin.BEGIN_DATE_TIME + - google_workspace.admin.START_DATE + - google_workspace.admin.END_DATE + - google_workspace.admin.END_DATE_TIME + - google_workspace.admin.WHITELISTED_GROUPS + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.7.2/data_stream/admin/fields/agent.yml b/packages/google_workspace/1.7.2/data_stream/admin/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/google_workspace/1.7.2/data_stream/admin/fields/base-fields.yml b/packages/google_workspace/1.7.2/data_stream/admin/fields/base-fields.yml new file mode 100755 index 0000000000..5913006667 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset + value: google_workspace.admin +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/1.7.2/data_stream/admin/fields/ecs.yml b/packages/google_workspace/1.7.2/data_stream/admin/fields/ecs.yml new file mode 100755 index 0000000000..88f77ff59e --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/fields/ecs.yml @@ -0,0 +1,303 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: url.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/google_workspace/1.7.2/data_stream/admin/fields/fields.yml b/packages/google_workspace/1.7.2/data_stream/admin/fields/fields.yml new file mode 100755 index 0000000000..642107f70f --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/fields/fields.yml @@ -0,0 +1,259 @@ +- name: google_workspace.admin + type: group + fields: + - name: application.edition + type: keyword + description: The Google Workspace edition. + - name: application.name + type: keyword + description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: long + description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name + type: keyword + description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: non_featured_services_selection + type: keyword + description: | + Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.id + type: keyword + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: | + The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. + - name: bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: | + Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: | + Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: | + OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: | + OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: | + Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: | + This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: | + The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: | + The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: | + The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/packages/google_workspace/1.7.2/data_stream/admin/fields/package-fields.yml b/packages/google_workspace/1.7.2/data_stream/admin/fields/package-fields.yml new file mode 100755 index 0000000000..6aaf0c1ca5 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/fields/package-fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace + type: group + fields: + - name: actor.type + type: keyword + description: | + The type of actor. + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: | + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: | + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: kind + type: keyword + description: | + The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: organization.domain + type: keyword + description: | + The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.7.2/data_stream/admin/manifest.yml b/packages/google_workspace/1.7.2/data_stream/admin/manifest.yml new file mode 100755 index 0000000000..5be2f1ef22 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Admin logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Admin logs (httpjson) + description: Collect admin logs using httpjson input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - google-workspace-admin + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/google_workspace/1.7.2/data_stream/admin/sample_event.json b/packages/google_workspace/1.7.2/data_stream/admin/sample_event.json new file mode 100755 index 0000000000..f0559d0b60 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/admin/sample_event.json @@ -0,0 +1,116 @@ +{ + "@timestamp": "2022-02-02T12:23:57.000Z", + "agent": { + "ephemeral_id": "68cf8bd1-0ff1-4c77-a4e7-64ab24882a9c", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.admin", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "CHANGE_APPLICATION_SETTING", + "agent_id_status": "verified", + "category": [ + "iam", + "configuration" + ], + "created": "2022-02-03T12:23:57.797Z", + "dataset": "google_workspace.admin", + "id": "1", + "ingested": "2022-02-03T12:23:58Z", + "provider": "admin", + "type": [ + "change" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "admin": { + "application": { + "edition": "basic", + "name": "drive" + }, + "group": { + "email": "group@example.com" + }, + "new_value": "new", + "old_value": "old", + "org_unit": { + "name": "org" + }, + "setting": { + "name": "setting" + } + }, + "event": { + "type": "APPLICATION_SETTINGS" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "group": { + "domain": "example.com", + "name": "group" + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-admin" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo", + "target": { + "group": { + "domain": "example.com", + "name": "group" + } + } + } +} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/drive/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.7.2/data_stream/drive/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..510c49aabb --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/drive +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: url.params.startTime + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +response.split: + target: body.items + split: + target: body.events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" + fail_on_template_error: true +cursor: + last_execution_datetime: + value: "[[formatDate now]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.7.2/data_stream/drive/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..d3e352cb35 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,268 @@ +--- +description: Pipeline for parsing google_workspace logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - append: + field: event.category + value: file + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.id.time + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + - rename: + field: json.events.name + target_field: event.action + ignore_missing: true + - fingerprint: + description: Hashes the ID object and uses it as the document id to avoid duplicate events. + fields: + - json.id + target_field: _id + ignore_missing: true + ignore_failure: true + - rename: + field: json.id.applicationName + target_field: event.provider + ignore_missing: true + - convert: + field: json.id.uniqueQualifier + target_field: event.id + type: string + ignore_missing: true + - rename: + field: json.actor.email + target_field: source.user.email + ignore_missing: true + - convert: + field: json.actor.profileId + target_field: source.user.id + type: string + ignore_missing: true + - set: + field: user.id + copy_from: source.user.id + if: ctx?.source?.user?.id != null + - rename: + field: json.ipAddress + target_field: source.ip + ignore_missing: true + - rename: + field: json.kind + target_field: google_workspace.kind + ignore_missing: true + - rename: + field: json.id.customerId + target_field: organization.id + ignore_missing: true + - rename: + field: json.actor.callerType + target_field: google_workspace.actor.type + ignore_missing: true + - rename: + field: json.actor.key + target_field: google_workspace.actor.key + ignore_missing: true + - rename: + field: json.ownerDomain + target_field: google_workspace.organization.domain + ignore_missing: true + - rename: + field: json.events.type + target_field: google_workspace.event.type + ignore_missing: true + - script: + lang: painless + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.user.name = splitmail[0]; + ctx.source.user.name = splitmail[0]; + ctx.user.domain = splitmail[1]; + ctx.source.user.domain = splitmail[1]; + - append: + field: event.type + value: change + if: '["add_to_folder", "edit", "add_lock", "move", "remove_from_folder", "rename", "remove_lock", "sheets_import_range", "approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' + - append: + field: event.category + value: iam + if: '["approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' + - append: + field: event.category + value: configuration + if: '["approval_canceled", "approval_comment_added", "approval_requested", "approval_reviewer_responded", "change_acl_editors", "change_document_access_scope", "change_document_visibility", "shared_drive_membership_change", "shared_drive_settings_change", "sheets_import_range_access_change", "change_user_access"].contains(ctx?.event?.action)' + - append: + field: event.type + value: creation + if: '["create", "untrash", "upload"].contains(ctx?.event?.action)' + - append: + field: event.type + value: deletion + if: '["delete", "trash"].contains(ctx?.event?.action)' + - append: + field: event.type + value: info + if: '["download", "preview", "print", "view"].contains(ctx?.event?.action)' + - script: + lang: painless + if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' + source: > + if (ctx.google_workspace.drive == null) { + ctx.google_workspace.drive = new HashMap(); + } + for (int i = 0; i < ctx.json.events.parameters.length; ++i) { + if (ctx["json"]["events"]["parameters"][i]["value"] != null) { + ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { + ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["boolValue"] != null) { + ctx.google_workspace.drive[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["boolValue"]; + } + } + - rename: + field: google_workspace.drive.doc_id + target_field: google_workspace.drive.file.id + ignore_missing: true + - rename: + field: google_workspace.drive.doc_title + target_field: file.name + ignore_missing: true + - rename: + field: google_workspace.drive.doc_type + target_field: google_workspace.drive.file.type + ignore_missing: true + - rename: + field: google_workspace.drive.owner + target_field: google_workspace.drive.file.owner.email + ignore_missing: true + - rename: + field: google_workspace.drive.owner_is_shared_drive + target_field: google_workspace.drive.file.owner.is_shared_drive + ignore_missing: true + - rename: + field: google_workspace.drive.new_settings_state + target_field: google_workspace.drive.new_value + ignore_missing: true + - rename: + field: google_workspace.drive.old_settings_state + target_field: google_workspace.drive.old_value + ignore_missing: true + - rename: + field: google_workspace.drive.target_user + target_field: google_workspace.drive.target + ignore_missing: true + - set: + field: file.type + value: dir + if: '["folder", "shared"].contains(ctx?.google_workspace?.drive?.file?.type)' + - set: + field: file.type + value: file + if: ctx?.file?.type == null + - script: + lang: painless + if: ctx?.file?.name != null + source: > + def path = ctx.file.name; + def extIdx = path.lastIndexOf("."); + if (extIdx > -1) { + ctx.file.extension = path.substring(extIdx+1); + } + - script: + lang: painless + if: 'ctx?.google_workspace?.drive?.target != null && ctx?.google_workspace?.drive?.target.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.drive.target.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.related == null) { + ctx.related = new HashMap(); + } + if (ctx.related.user == null) { + ctx.related.user = new ArrayList(); + } + ctx.related.user.add(splitmail[0]); + - script: + lang: painless + if: 'ctx?.google_workspace?.drive?.file?.owner?.email != null && ctx?.google_workspace?.drive?.file?.owner?.email.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.drive.file.owner.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.file == null) { + ctx.file = new HashMap(); + } + ctx.file.owner = splitmail[0]; + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{file.owner}}" + if: ctx?.file?.owner != null + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null + allow_duplicates: false + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: + - json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.7.2/data_stream/drive/fields/agent.yml b/packages/google_workspace/1.7.2/data_stream/drive/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/google_workspace/1.7.2/data_stream/drive/fields/base-fields.yml b/packages/google_workspace/1.7.2/data_stream/drive/fields/base-fields.yml new file mode 100755 index 0000000000..0ea1dcfcb3 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset + value: google_workspace.drive +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/1.7.2/data_stream/drive/fields/ecs.yml b/packages/google_workspace/1.7.2/data_stream/drive/fields/ecs.yml new file mode 100755 index 0000000000..da0e927c52 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/fields/ecs.yml @@ -0,0 +1,249 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/google_workspace/1.7.2/data_stream/drive/fields/fields.yml b/packages/google_workspace/1.7.2/data_stream/drive/fields/fields.yml new file mode 100755 index 0000000000..85a89be11c --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/fields/fields.yml @@ -0,0 +1,84 @@ +- name: google_workspace.drive + type: group + fields: + - name: billable + type: boolean + description: Whether this activity is billable. + - name: source_folder_id + type: keyword + - name: source_folder_title + type: keyword + - name: destination_folder_id + type: keyword + - name: destination_folder_title + type: keyword + - name: file.id + type: keyword + - name: file.type + type: keyword + description: | + Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: originating_app_id + type: keyword + description: | + The Google Cloud Project ID of the application that performed the action. + - name: file.owner.email + type: keyword + - name: file.owner.is_shared_drive + type: boolean + description: | + Boolean flag denoting whether owner is a shared drive. + - name: primary_event + type: boolean + description: | + Whether this is a primary event. A single user action in Drive may generate several events. + - name: shared_drive_id + type: keyword + description: | + The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + - name: visibility + type: keyword + description: | + Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: new_value + type: keyword + description: | + When a setting or property of the file changes, the new value for it will appear here. + - name: old_value + type: keyword + description: | + When a setting or property of the file changes, the old value for it will appear here. + - name: sheets_import_range_recipient_doc + type: keyword + description: Doc ID of the recipient of a sheets import range. + - name: old_visibility + type: keyword + description: | + When visibility changes, this holds the old value. + - name: visibility_change + type: keyword + description: | + When visibility changes, this holds the new overall visibility of the file. + - name: target_domain + type: keyword + description: | + The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + - name: added_role + type: keyword + description: | + Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: membership_change_type + type: keyword + description: | + Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: shared_drive_settings_change_type + type: keyword + description: | + Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: removed_role + type: keyword + description: | + Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: target + type: keyword + description: Target user or group. diff --git a/packages/google_workspace/1.7.2/data_stream/drive/fields/package-fields.yml b/packages/google_workspace/1.7.2/data_stream/drive/fields/package-fields.yml new file mode 100755 index 0000000000..6aaf0c1ca5 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/fields/package-fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace + type: group + fields: + - name: actor.type + type: keyword + description: | + The type of actor. + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: | + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: | + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: kind + type: keyword + description: | + The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: organization.domain + type: keyword + description: | + The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.7.2/data_stream/drive/manifest.yml b/packages/google_workspace/1.7.2/data_stream/drive/manifest.yml new file mode 100755 index 0000000000..ef6840f241 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Drive logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Drive logs (httpjson) + description: Collect drive logs using httpjson input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - google-workspace-drive + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/google_workspace/1.7.2/data_stream/drive/sample_event.json b/packages/google_workspace/1.7.2/data_stream/drive/sample_event.json new file mode 100755 index 0000000000..9d200cea3d --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/drive/sample_event.json @@ -0,0 +1,110 @@ +{ + "@timestamp": "2022-02-02T12:24:50.000Z", + "agent": { + "ephemeral_id": "3160d231-025f-4e24-9581-72458c960fca", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.drive", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "add_to_folder", + "agent_id_status": "verified", + "category": [ + "file" + ], + "created": "2022-02-03T12:24:50.101Z", + "dataset": "google_workspace.drive", + "id": "1", + "ingested": "2022-02-03T12:24:51Z", + "provider": "drive", + "type": [ + "change" + ] + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "billable": false, + "destination_folder_id": "1234", + "destination_folder_title": "folder title", + "file": { + "id": "1234", + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "originating_app_id": "1234", + "primary_event": true, + "visibility": "people_with_link" + }, + "event": { + "type": "access" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-drive" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo" + } +} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/groups/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.7.2/data_stream/groups/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..f0699fc2de --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/groups +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: url.params.startTime + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +response.split: + target: body.items + split: + target: body.events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" + fail_on_template_error: true +cursor: + last_execution_datetime: + value: "[[formatDate now]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/google_workspace/1.7.2/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.7.2/data_stream/groups/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..f7413d168a --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,300 @@ +--- +description: Pipeline for parsing google_workspace logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - append: + field: event.category + value: iam + - append: + field: event.type + value: group + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.id.time + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + - rename: + field: json.events.name + target_field: event.action + ignore_missing: true + - fingerprint: + description: Hashes the ID object and uses it as the document id to avoid duplicate events. + fields: + - json.id + target_field: _id + ignore_missing: true + ignore_failure: true + - rename: + field: json.id.applicationName + target_field: event.provider + ignore_missing: true + - convert: + field: json.id.uniqueQualifier + target_field: event.id + type: string + ignore_missing: true + - rename: + field: json.actor.email + target_field: source.user.email + ignore_missing: true + - convert: + field: json.actor.profileId + target_field: source.user.id + type: string + ignore_missing: true + - convert: + field: json.ipAddress + target_field: source.ip + type: ip + ignore_missing: true + - rename: + field: json.kind + target_field: google_workspace.kind + ignore_missing: true + - convert: + field: json.id.customerId + target_field: organization.id + type: string + ignore_missing: true + - rename: + field: json.actor.callerType + target_field: google_workspace.actor.type + ignore_missing: true + - rename: + field: json.actor.key + target_field: google_workspace.actor.key + ignore_missing: true + - rename: + field: json.ownerDomain + target_field: google_workspace.organization.domain + ignore_missing: true + - rename: + field: json.events.type + target_field: google_workspace.event.type + ignore_missing: true + - set: + field: user.id + copy_from: source.user.id + if: ctx?.source?.user?.id != null + - script: + lang: painless + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.user.name = splitmail[0]; + ctx.source.user.name = splitmail[0]; + ctx.user.domain = splitmail[1]; + ctx.source.user.domain = splitmail[1]; + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null + allow_duplicates: false + - append: + field: event.type + value: change + if: '["change_basic_setting", "change_identity_setting", "change_info_setting", "change_new_members_restrictions_setting", "change_post_replies_setting", "change_spam_moderation_setting", "change_topic_setting", "change_acl_permission", "approve_join_request", "join"].contains(ctx?.event?.action)' + - append: + field: event.category + value: configuration + if: '["change_basic_setting", "change_identity_setting", "change_info_setting", "change_new_members_restrictions_setting", "change_post_replies_setting", "change_spam_moderation_setting", "change_topic_setting", "add_info_setting", "remove_info_setting"].contains(ctx?.event?.action)' + - append: + field: event.type + value: info + if: '["accept_invitation", "request_to_join", "ban_user_with_moderation", "revoke_invitation", "invite_user", "reject_join_request", "reinvite_user", "moderate_message", "always_post_from_user"].contains(ctx?.event?.action)' + - append: + field: event.type + value: user + if: '["accept_invitation", "approve_join_request", "join", "request_to_join", "ban_user_with_moderation", "revoke_invitation", "invite_user", "reject_join_request", "reinvite_user", "add_user", "remove_user"].contains(ctx?.event?.action)' + - append: + field: event.type + value: creation + if: '["create_group", "add_info_setting", "add_user"].contains(ctx?.event?.action)' + - append: + field: event.type + value: deletion + if: '["delete_group", "remove_info_setting", "remove_user"].contains(ctx?.event?.action)' + - script: + lang: painless + if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' + source: > + if (ctx.google_workspace.groups == null) { + ctx.google_workspace.groups = new HashMap(); + } + for (int i = 0; i < ctx.json.events.parameters.length; ++i) { + if (ctx["json"]["events"]["parameters"][i]["value"] != null) { + ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; + } + if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { + ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { + ctx.google_workspace.groups[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; + } + } + - rename: + field: google_workspace.groups.group_email + target_field: google_workspace.groups.email + ignore_missing: true + - rename: + field: google_workspace.groups.new_value_repeated + target_field: google_workspace.groups.new_value + ignore_missing: true + - rename: + field: google_workspace.groups.old_value_repeated + target_field: google_workspace.groups.old_value + ignore_missing: true + - rename: + field: google_workspace.groups.user_email + target_field: google_workspace.groups.member.email + ignore_missing: true + - rename: + field: google_workspace.groups.basic_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.identity_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.info_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.new_members_restrictions_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.post_replies_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.spam_moderation_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.topic_setting + target_field: google_workspace.groups.setting + ignore_missing: true + - rename: + field: google_workspace.groups.message_id + target_field: google_workspace.groups.message.id + ignore_missing: true + - rename: + field: google_workspace.groups.message_moderation_action + target_field: google_workspace.groups.message.moderation_action + ignore_missing: true + - rename: + field: google_workspace.groups.member_role + target_field: google_workspace.groups.member.role + ignore_missing: true + - set: + field: event.outcome + value: failure + if: 'ctx?.google_workspace?.groups?.status == "failed"' + - set: + field: event.outcome + value: success + if: 'ctx?.google_workspace?.groups?.status == "success"' + - script: + lang: painless + if: 'ctx?.google_workspace?.groups?.email != null && ctx?.google_workspace?.groups?.email.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.groups.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.group == null) { + ctx.group = new HashMap(); + } + ctx.group.name = splitmail[0]; + ctx.group.domain = splitmail[1]; + - script: + lang: painless + if: 'ctx?.google_workspace?.groups?.member?.email != null && ctx?.google_workspace?.groups?.member?.email.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.groups.member.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.user.target == null) { + ctx.user.target = new HashMap(); + } + if (ctx.related == null) { + ctx.related = new HashMap(); + } + if (ctx.related.user == null) { + ctx.related.user = new ArrayList(); + } + ctx.related.user.add(splitmail[0]); + ctx.user.target.name = splitmail[0]; + ctx.user.target.domain = splitmail[1]; + ctx.user.target.email = ctx.google_workspace.groups.member.email; + - set: + field: user.target.group.name + copy_from: group.name + if: ctx?.group?.name != null + - set: + field: user.target.group.domain + copy_from: group.domain + if: ctx?.group?.domain != null + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.7.2/data_stream/groups/fields/agent.yml b/packages/google_workspace/1.7.2/data_stream/groups/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/google_workspace/1.7.2/data_stream/groups/fields/base-fields.yml b/packages/google_workspace/1.7.2/data_stream/groups/fields/base-fields.yml new file mode 100755 index 0000000000..b265ecedb0 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset + value: google_workspace.groups +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/1.7.2/data_stream/groups/fields/ecs.yml b/packages/google_workspace/1.7.2/data_stream/groups/fields/ecs.yml new file mode 100755 index 0000000000..48c658aa62 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/fields/ecs.yml @@ -0,0 +1,229 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/google_workspace/1.7.2/data_stream/groups/fields/fields.yml b/packages/google_workspace/1.7.2/data_stream/groups/fields/fields.yml new file mode 100755 index 0000000000..f80bd11d93 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/fields/fields.yml @@ -0,0 +1,46 @@ +- name: google_workspace.groups + type: group + fields: + - name: acl_permission + type: keyword + description: | + Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: email + type: keyword + description: | + Group email. + - name: member.email + type: keyword + description: | + Member email. + - name: member.role + type: keyword + description: | + Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: setting + type: keyword + description: | + Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: new_value + type: keyword + description: | + New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: old_value + type: keyword + description: Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: value + type: keyword + description: | + Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: message.id + type: keyword + description: | + SMTP message Id of an email message. Present for moderation events. + - name: message.moderation_action + type: keyword + description: | + Message moderation action. Possible values are `approved` and `rejected`. + - name: status + type: keyword + description: | + A status describing the output of an operation. Possible values are `failed` and `succeeded`. diff --git a/packages/google_workspace/1.7.2/data_stream/groups/fields/package-fields.yml b/packages/google_workspace/1.7.2/data_stream/groups/fields/package-fields.yml new file mode 100755 index 0000000000..6aaf0c1ca5 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/fields/package-fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace + type: group + fields: + - name: actor.type + type: keyword + description: | + The type of actor. + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: | + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: | + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: kind + type: keyword + description: | + The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: organization.domain + type: keyword + description: | + The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.7.2/data_stream/groups/manifest.yml b/packages/google_workspace/1.7.2/data_stream/groups/manifest.yml new file mode 100755 index 0000000000..7e74484384 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Groups logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Groups logs (httpjson) + description: Collect groups logs using httpjson input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - google-workspace-groups + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/google_workspace/1.7.2/data_stream/groups/sample_event.json b/packages/google_workspace/1.7.2/data_stream/groups/sample_event.json new file mode 100755 index 0000000000..ca9c896379 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/groups/sample_event.json @@ -0,0 +1,110 @@ +{ + "@timestamp": "2022-02-02T12:25:39.000Z", + "agent": { + "ephemeral_id": "a9599f5d-49a5-4339-9e5e-484f19370712", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.groups", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "change_acl_permission", + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2022-02-03T12:25:39.375Z", + "dataset": "google_workspace.groups", + "id": "1", + "ingested": "2022-02-03T12:25:40Z", + "provider": "groups", + "type": [ + "group", + "change" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "acl_change" + }, + "groups": { + "acl_permission": "can_add_members", + "email": "group@example.com", + "new_value": [ + "managers", + "members" + ], + "old_value": [ + "managers" + ] + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "group": { + "domain": "example.com", + "name": "group" + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-groups" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo", + "target": { + "group": { + "domain": "example.com", + "name": "group" + } + } + } +} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/login/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.7.2/data_stream/login/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..a8c2e6d9e7 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/login +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: url.params.startTime + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +response.split: + target: body.items + split: + target: body.events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" + fail_on_template_error: true +cursor: + last_execution_datetime: + value: "[[formatDate now]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/google_workspace/1.7.2/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.7.2/data_stream/login/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..b82573273c --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,245 @@ +--- +description: Pipeline for parsing google_workspace logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - append: + field: event.category + value: authentication + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.id.time + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + - rename: + field: json.events.name + target_field: event.action + ignore_missing: true + - fingerprint: + description: Hashes the ID object and uses it as the document id to avoid duplicate events. + fields: + - json.id + target_field: _id + ignore_missing: true + ignore_failure: true + - rename: + field: json.id.applicationName + target_field: event.provider + ignore_missing: true + - convert: + field: json.id.uniqueQualifier + target_field: event.id + type: string + ignore_missing: true + - rename: + field: json.actor.email + target_field: source.user.email + ignore_missing: true + - convert: + field: json.actor.profileId + target_field: source.user.id + type: string + ignore_missing: true + - convert: + field: json.ipAddress + target_field: source.ip + type: ip + ignore_missing: true + - rename: + field: json.kind + target_field: google_workspace.kind + ignore_missing: true + - convert: + field: json.id.customerId + target_field: organization.id + type: string + ignore_missing: true + - rename: + field: json.actor.callerType + target_field: google_workspace.actor.type + ignore_missing: true + - rename: + field: json.actor.key + target_field: google_workspace.actor.key + ignore_missing: true + - rename: + field: json.ownerDomain + target_field: google_workspace.organization.domain + ignore_missing: true + - rename: + field: json.events.type + target_field: google_workspace.event.type + ignore_missing: true + - script: + lang: painless + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.user.name = splitmail[0]; + ctx.source.user.name = splitmail[0]; + ctx.user.domain = splitmail[1]; + ctx.source.user.domain = splitmail[1]; + - set: + field: user.id + copy_from: source.user.id + if: ctx?.source?.user?.id != null + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null + allow_duplicates: false + - append: + field: event.category + value: session + if: '["login_failure", "login_success", "logout"].contains(ctx?.event?.action)' + - append: + field: event.type + value: start + if: '["login_failure", "login_success"].contains(ctx?.event?.action)' + - append: + field: event.type + value: end + if: 'ctx?.event?.action == "logout"' + - append: + field: event.type + value: user + if: '["account_disabled_generic", "account_disabled_spamming_through_relay", "account_disabled_spamming", "account_disabled_hijacked", "account_disabled_password_leak"].contains(ctx?.event?.action)' + - append: + field: event.type + value: change + if: '["account_disabled_generic", "account_disabled_spamming_through_relay", "account_disabled_spamming", "account_disabled_hijacked", "account_disabled_password_leak"].contains(ctx?.event?.action)' + - append: + field: event.type + value: info + if: '["gov_attack_warning", "login_challenge", "login_verification", "suspicious_login", "suspicious_login_less_secure_app", "suspicious_programmatic_login"].contains(ctx?.event?.action)' + - set: + field: event.outcome + value: failure + if: 'ctx?.event?.action == "login_failure"' + - set: + field: event.outcome + value: success + if: 'ctx?.event?.action == "login_success"' + - script: + lang: painless + if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' + source: > + if (ctx.google_workspace.login == null) { + ctx.google_workspace.login = new HashMap(); + } + for (int i = 0; i < ctx.json.events.parameters.length; ++i) { + if (ctx["json"]["events"]["parameters"][i]["name"] != null && ctx["json"]["events"]["parameters"][i]["name"].startsWith("login_")) { + ctx["json"]["events"]["parameters"][i]["name"] = ctx["json"]["events"]["parameters"][i]["name"].substring(6); + } + if (ctx["json"]["events"]["parameters"][i]["value"] != null) { + ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; + } + if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { + ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { + ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; + } + } + - script: + lang: painless + if: ctx?.google_workspace?.login?.timestamp != null + source: > + ctx._temp_ = new HashMap(); + ctx._temp_.start = ctx?.google_workspace?.login.timestamp / 1000; + - date: + field: _temp_.start + target_field: event.start + timezone: UTC + formats: + - UNIX_MS + if: ctx?._temp_?.start != null + - set: + field: event.outcome + value: success + if: 'ctx?.google_workspace?.login?.challenge_status != null && ctx?.event?.outcome == null && ctx?.google_workspace?.login?.challenge_status == "Challenge Passed"' + - set: + field: event.outcome + value: failure + if: 'ctx?.google_workspace?.login?.challenge_status != null && ctx?.event?.outcome == null' + - script: + lang: painless + if: 'ctx?.google_workspace?.login?.affected_email_address != null && ctx?.google_workspace?.login?.affected_email_address.contains("@")' + source: > + String[] splitmail = ctx.google_workspace.login.affected_email_address.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.related == null) { + ctx.related = new HashMap(); + } + if (ctx.related.user == null) { + ctx.related.user = new ArrayList(); + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.user.target == null) { + ctx.user.target = new HashMap(); + } + ctx.user.target.name = splitmail[0]; + ctx.user.target.domain = splitmail[1]; + ctx.related.user.add(splitmail[0]); + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: + - json + - _temp_ + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.7.2/data_stream/login/fields/agent.yml b/packages/google_workspace/1.7.2/data_stream/login/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/google_workspace/1.7.2/data_stream/login/fields/base-fields.yml b/packages/google_workspace/1.7.2/data_stream/login/fields/base-fields.yml new file mode 100755 index 0000000000..cb70f3767f --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset + value: google_workspace.login +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/1.7.2/data_stream/login/fields/ecs.yml b/packages/google_workspace/1.7.2/data_stream/login/fields/ecs.yml new file mode 100755 index 0000000000..48c658aa62 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/fields/ecs.yml @@ -0,0 +1,229 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/google_workspace/1.7.2/data_stream/login/fields/fields.yml b/packages/google_workspace/1.7.2/data_stream/login/fields/fields.yml new file mode 100755 index 0000000000..23e4416bab --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/fields/fields.yml @@ -0,0 +1,29 @@ +- name: google_workspace.login + type: group + fields: + - name: affected_email_address + type: keyword + - name: challenge_method + type: keyword + description: | + Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: failure_type + type: keyword + description: | + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: challenge_status + type: keyword + description: | + Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: timestamp + type: long + description: | + UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: type + type: keyword + description: | + Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: is_second_factor + type: boolean + - name: is_suspicious + type: boolean diff --git a/packages/google_workspace/1.7.2/data_stream/login/fields/package-fields.yml b/packages/google_workspace/1.7.2/data_stream/login/fields/package-fields.yml new file mode 100755 index 0000000000..6aaf0c1ca5 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/fields/package-fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace + type: group + fields: + - name: actor.type + type: keyword + description: | + The type of actor. + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: | + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: | + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: kind + type: keyword + description: | + The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: organization.domain + type: keyword + description: | + The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.7.2/data_stream/login/manifest.yml b/packages/google_workspace/1.7.2/data_stream/login/manifest.yml new file mode 100755 index 0000000000..4adbd3874b --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Login logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Login logs (httpjson) + description: Collect login logs using httpjson input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - google-workspace-login + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/google_workspace/1.7.2/data_stream/login/sample_event.json b/packages/google_workspace/1.7.2/data_stream/login/sample_event.json new file mode 100755 index 0000000000..b391f392c6 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/login/sample_event.json @@ -0,0 +1,97 @@ +{ + "@timestamp": "2022-02-02T12:26:31.000Z", + "agent": { + "ephemeral_id": "0b8db1d7-2f2e-4e9d-84d8-f3b4409101ef", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.login", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "account_disabled_password_leak", + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "created": "2022-02-03T12:26:31.037Z", + "dataset": "google_workspace.login", + "id": "1", + "ingested": "2022-02-03T12:26:32Z", + "provider": "login", + "type": [ + "user", + "change" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "account_warning" + }, + "kind": "admin#reports#activity", + "login": { + "affected_email_address": "foo@elastic.co" + }, + "organization": { + "domain": "elastic.com" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo", + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-login" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo", + "target": { + "domain": "elastic.co", + "name": "foo" + } + } +} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/saml/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.7.2/data_stream/saml/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..dc0abe3102 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/saml +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: url.params.startTime + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +response.split: + target: body.items + split: + target: body.events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" + fail_on_template_error: true +cursor: + last_execution_datetime: + value: "[[formatDate now]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.7.2/data_stream/saml/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..c30e7b4639 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,181 @@ +--- +description: Pipeline for parsing google_workspace logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - append: + field: event.type + value: start + - append: + field: event.category + value: authentication + - append: + field: event.category + value: session + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.id.time + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + - rename: + field: json.events.name + target_field: event.action + ignore_missing: true + - fingerprint: + description: Hashes the ID object and uses it as the document id to avoid duplicate events. + fields: + - json.id + target_field: _id + ignore_missing: true + ignore_failure: true + - rename: + field: json.id.applicationName + target_field: event.provider + ignore_missing: true + - convert: + field: json.id.uniqueQualifier + target_field: event.id + type: string + ignore_missing: true + - rename: + field: json.actor.email + target_field: source.user.email + ignore_missing: true + - convert: + field: json.actor.profileId + target_field: source.user.id + type: string + ignore_missing: true + - set: + field: user.id + copy_from: source.user.id + if: ctx?.source?.user?.id != null + - convert: + field: json.ipAddress + target_field: source.ip + type: ip + ignore_missing: true + - rename: + field: json.kind + target_field: google_workspace.kind + ignore_missing: true + - convert: + field: json.id.customerId + target_field: organization.id + type: string + ignore_missing: true + - rename: + field: json.actor.callerType + target_field: google_workspace.actor.type + ignore_missing: true + - rename: + field: json.actor.key + target_field: google_workspace.actor.key + ignore_missing: true + - rename: + field: json.ownerDomain + target_field: google_workspace.organization.domain + ignore_missing: true + - rename: + field: json.events.type + target_field: google_workspace.event.type + ignore_missing: true + - script: + lang: painless + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.user.name = splitmail[0]; + ctx.source.user.name = splitmail[0]; + ctx.user.domain = splitmail[1]; + ctx.source.user.domain = splitmail[1]; + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null + allow_duplicates: false + - set: + field: event.outcome + value: success + if: 'ctx?.event?.action == "login_success"' + - set: + field: event.outcome + value: failure + if: 'ctx?.event?.action == "login_failure"' + - script: + lang: painless + if: 'ctx?.json?.events?.parameters != null && ctx?.json?.events?.parameters instanceof List' + source: > + if (ctx.google_workspace.saml == null) { + ctx.google_workspace.saml = new HashMap(); + } + for (int i = 0; i < ctx.json.events.parameters.length; ++i) { + if (ctx["json"]["events"]["parameters"][i]["name"] != null && ctx["json"]["events"]["parameters"][i]["name"].startsWith("saml_")) { + ctx["json"]["events"]["parameters"][i]["name"] = ctx["json"]["events"]["parameters"][i]["name"].substring(5); + } + if (ctx["json"]["events"]["parameters"][i]["value"] != null) { + ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["value"]; + } + if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { + ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["intValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { + ctx.google_workspace.saml[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["multiValue"]; + } + } + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.7.2/data_stream/saml/fields/agent.yml b/packages/google_workspace/1.7.2/data_stream/saml/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/google_workspace/1.7.2/data_stream/saml/fields/base-fields.yml b/packages/google_workspace/1.7.2/data_stream/saml/fields/base-fields.yml new file mode 100755 index 0000000000..660db83315 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset + value: google_workspace.saml +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/1.7.2/data_stream/saml/fields/ecs.yml b/packages/google_workspace/1.7.2/data_stream/saml/fields/ecs.yml new file mode 100755 index 0000000000..48c658aa62 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/fields/ecs.yml @@ -0,0 +1,229 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/google_workspace/1.7.2/data_stream/saml/fields/fields.yml b/packages/google_workspace/1.7.2/data_stream/saml/fields/fields.yml new file mode 100755 index 0000000000..f2f39dd64b --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/fields/fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace.saml + type: group + fields: + - name: application_name + type: keyword + description: | + Saml SP application name. + - name: failure_type + type: keyword + description: | + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + - name: initiated_by + type: keyword + description: | + Requester of SAML authentication. + - name: orgunit_path + type: keyword + description: | + User orgunit. + - name: status_code + type: keyword + description: | + SAML status code. + - name: second_level_status_code + type: keyword + description: | + SAML second level status code. diff --git a/packages/google_workspace/1.7.2/data_stream/saml/fields/package-fields.yml b/packages/google_workspace/1.7.2/data_stream/saml/fields/package-fields.yml new file mode 100755 index 0000000000..6aaf0c1ca5 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/fields/package-fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace + type: group + fields: + - name: actor.type + type: keyword + description: | + The type of actor. + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: | + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: | + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: kind + type: keyword + description: | + The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: organization.domain + type: keyword + description: | + The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.7.2/data_stream/saml/manifest.yml b/packages/google_workspace/1.7.2/data_stream/saml/manifest.yml new file mode 100755 index 0000000000..5b8c5349f1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: SAML logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: SAML logs (httpjson) + description: Collect SAML logs using httpjson input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - google-workspace-saml + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/google_workspace/1.7.2/data_stream/saml/sample_event.json b/packages/google_workspace/1.7.2/data_stream/saml/sample_event.json new file mode 100755 index 0000000000..df238f80a3 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/saml/sample_event.json @@ -0,0 +1,98 @@ +{ + "@timestamp": "2022-02-02T12:27:23.000Z", + "agent": { + "ephemeral_id": "4ffa592e-b9c1-4a7e-8c91-78817747d073", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.saml", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "login_failure", + "agent_id_status": "verified", + "category": [ + "authentication", + "session" + ], + "created": "2022-02-03T12:27:23.007Z", + "dataset": "google_workspace.saml", + "id": "1", + "ingested": "2022-02-03T12:27:24Z", + "outcome": "failure", + "provider": "saml", + "type": [ + "start" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "login" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + }, + "saml": { + "application_name": "app", + "failure_type": "failure_app_not_configured_for_user", + "initiated_by": "idp", + "orgunit_path": "ounit", + "second_level_status_code": "SUCCESS_URI", + "status_code": "SUCCESS_URI" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-saml" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo" + } +} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/agent/stream/httpjson.yml.hbs b/packages/google_workspace/1.7.2/data_stream/user_accounts/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..334297c6f8 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: "2" +interval: {{interval}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: {{api_host}}/admin/reports/v1/activity/users/{{user_key}}/applications/user_accounts +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: + - set: + target: url.params.startTime + value: '[[if eq .last_response.page 0]][[.cursor.last_execution_datetime]][[else]][[.last_response.url.params.Get "startTime"]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' +response.split: + target: body.items + split: + target: body.events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" + fail_on_template_error: true +cursor: + last_execution_datetime: + value: "[[formatDate now]]" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/1.7.2/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..1bdcc3f900 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,152 @@ +--- +description: Pipeline for parsing google_workspace logs +processors: + - set: + field: ecs.version + value: '8.4.0' + - append: + field: event.type + value: change + - append: + field: event.type + value: user + - append: + field: event.category + value: iam + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - date: + field: json.id.time + timezone: UTC + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + - rename: + field: json.events.name + target_field: event.action + ignore_missing: true + - fingerprint: + description: Hashes the ID object and uses it as the document id to avoid duplicate events. + fields: + - json.id + target_field: _id + ignore_missing: true + ignore_failure: true + - rename: + field: json.id.applicationName + target_field: event.provider + ignore_missing: true + - convert: + field: json.id.uniqueQualifier + target_field: event.id + type: string + ignore_missing: true + - rename: + field: json.actor.email + target_field: source.user.email + ignore_missing: true + - convert: + field: json.actor.profileId + target_field: source.user.id + type: string + ignore_missing: true + - set: + field: user.id + copy_from: source.user.id + if: ctx?.source?.user?.id != null + - convert: + field: json.ipAddress + target_field: source.ip + type: ip + ignore_missing: true + - rename: + field: json.kind + target_field: google_workspace.kind + ignore_missing: true + - convert: + field: json.id.customerId + target_field: organization.id + type: string + ignore_missing: true + - rename: + field: json.actor.callerType + target_field: google_workspace.actor.type + ignore_missing: true + - rename: + field: json.actor.key + target_field: google_workspace.actor.key + ignore_missing: true + - rename: + field: json.ownerDomain + target_field: google_workspace.organization.domain + ignore_missing: true + - rename: + field: json.events.type + target_field: google_workspace.event.type + ignore_missing: true + - script: + lang: painless + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.user.name = splitmail[0]; + ctx.source.user.name = splitmail[0]; + ctx.user.domain = splitmail[1]; + ctx.source.user.domain = splitmail[1]; + - append: + field: related.ip + value: "{{source.ip}}" + if: ctx?.source?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{source.user.name}}" + if: ctx?.source?.user?.name != null + allow_duplicates: false + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/agent.yml b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/agent.yml new file mode 100755 index 0000000000..616523c9e1 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/agent.yml @@ -0,0 +1,199 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/base-fields.yml b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/base-fields.yml new file mode 100755 index 0000000000..061f34ffc7 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset + value: google_workspace.user_accounts +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/ecs.yml b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/ecs.yml new file mode 100755 index 0000000000..48c658aa62 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/ecs.yml @@ -0,0 +1,229 @@ +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + normalize: + - array + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + normalize: + - array + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/package-fields.yml b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/package-fields.yml new file mode 100755 index 0000000000..6aaf0c1ca5 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/fields/package-fields.yml @@ -0,0 +1,27 @@ +- name: google_workspace + type: group + fields: + - name: actor.type + type: keyword + description: | + The type of actor. + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: | + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: | + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: kind + type: keyword + description: | + The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + - name: organization.domain + type: keyword + description: | + The domain that is affected by the report's event. diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/manifest.yml b/packages/google_workspace/1.7.2/data_stream/user_accounts/manifest.yml new file mode 100755 index 0000000000..bda3d1d7c8 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: User accounts logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: User accounts logs (httpjson) + description: Collect user accounts logs using httpjson input + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - google-workspace-user-accounts + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/google_workspace/1.7.2/data_stream/user_accounts/sample_event.json b/packages/google_workspace/1.7.2/data_stream/user_accounts/sample_event.json new file mode 100755 index 0000000000..42bec86b93 --- /dev/null +++ b/packages/google_workspace/1.7.2/data_stream/user_accounts/sample_event.json @@ -0,0 +1,89 @@ +{ + "@timestamp": "2022-02-02T12:28:15.000Z", + "agent": { + "ephemeral_id": "3242bd5f-5862-4205-97eb-6aaac7d3f3d5", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.user_accounts", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "2sv_disable", + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2022-02-03T12:28:15.402Z", + "dataset": "google_workspace.user_accounts", + "id": "1", + "ingested": "2022-02-03T12:28:16Z", + "provider": "user_accounts", + "type": [ + "change", + "user" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "2sv_change" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-user-accounts" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo" + } +} \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/docs/README.md b/packages/google_workspace/1.7.2/docs/README.md new file mode 100755 index 0000000000..e31232d1b2 --- /dev/null +++ b/packages/google_workspace/1.7.2/docs/README.md @@ -0,0 +1,1500 @@ +# Google Workspace Integration + +The Google Workspace integration collects and parses data from the different [Google Workspace audit reports APIs](https://developers.google.com/admin-sdk/reports). + +## Compatibility + +It is compatible with a subset of applications under the [Google Reports API v1](https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started). As of today it supports: + +| Google Workspace Service | Description | +|---|---| +| [SAML](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml) [help](https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054) | View users’ successful and failed sign-ins to SAML applications. | +| [User Accounts](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts) [help](https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054) | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| [Login](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login) [help](https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054) | Track user sign-in activity to your domain. | +| [Admin](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings) [help](https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054) | View administrator activity performed within the Google Admin console. | +| [Drive](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive) [help](https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054) | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| [Groups](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups) [help](https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054) | Track changes to groups, group memberships and group messages. | + +## Requirements + +In order to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- [Set up a ServiceAccount](https://support.google.com/workspacemigrate/answer/9222993?hl=en) using the administrator account. +- [Set up access to the Admin SDK API](https://support.google.com/workspacemigrate/answer/9222865?hl=en) for the ServiceAccount. +- [Enable Domain-Wide Delegation](https://developers.google.com/admin-sdk/reports/v1/guides/delegation) for your ServiceAccount. + +This module will make use of the following *oauth2 scope*: + +- `https://www.googleapis.com/auth/admin.reports.audit.readonly` + +Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration. + +## Logs + +### Google Workspace Reports ECS fields + +This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets. + +| Google Workspace Reports | ECS Fields | +|------------------------------|---------------------------------------------------------------| +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, `related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | + +### SAML + +This is the `saml` dataset. + +An example event for `saml` looks as following: + +```json +{ + "@timestamp": "2022-02-02T12:27:23.000Z", + "agent": { + "ephemeral_id": "4ffa592e-b9c1-4a7e-8c91-78817747d073", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.saml", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "login_failure", + "agent_id_status": "verified", + "category": [ + "authentication", + "session" + ], + "created": "2022-02-03T12:27:23.007Z", + "dataset": "google_workspace.saml", + "id": "1", + "ingested": "2022-02-03T12:27:24Z", + "outcome": "failure", + "provider": "saml", + "type": [ + "start" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "login" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + }, + "saml": { + "application_name": "app", + "failure_type": "failure_app_not_configured_for_user", + "initiated_by": "idp", + "orgunit_path": "ounit", + "second_level_status_code": "SUCCESS_URI", + "status_code": "SUCCESS_URI" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-saml" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | +| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | +| google_workspace.saml.application_name | Saml SP application name. | keyword | +| google_workspace.saml.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. | keyword | +| google_workspace.saml.initiated_by | Requester of SAML authentication. | keyword | +| google_workspace.saml.orgunit_path | User orgunit. | keyword | +| google_workspace.saml.second_level_status_code | SAML second level status code. | keyword | +| google_workspace.saml.status_code | SAML status code. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| organization.id | Unique identifier for the organization. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +### User Accounts + +This is the `user_accounts` dataset. + +An example event for `user_accounts` looks as following: + +```json +{ + "@timestamp": "2022-02-02T12:28:15.000Z", + "agent": { + "ephemeral_id": "3242bd5f-5862-4205-97eb-6aaac7d3f3d5", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.user_accounts", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "2sv_disable", + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2022-02-03T12:28:15.402Z", + "dataset": "google_workspace.user_accounts", + "id": "1", + "ingested": "2022-02-03T12:28:16Z", + "provider": "user_accounts", + "type": [ + "change", + "user" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "2sv_change" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-user-accounts" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | +| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| organization.id | Unique identifier for the organization. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +### Login Accounts + +This is the `login` dataset. + +An example event for `login` looks as following: + +```json +{ + "@timestamp": "2022-02-02T12:26:31.000Z", + "agent": { + "ephemeral_id": "0b8db1d7-2f2e-4e9d-84d8-f3b4409101ef", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.login", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "account_disabled_password_leak", + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "created": "2022-02-03T12:26:31.037Z", + "dataset": "google_workspace.login", + "id": "1", + "ingested": "2022-02-03T12:26:32Z", + "provider": "login", + "type": [ + "user", + "change" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "account_warning" + }, + "kind": "admin#reports#activity", + "login": { + "affected_email_address": "foo@elastic.co" + }, + "organization": { + "domain": "elastic.com" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo", + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-login" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo", + "target": { + "domain": "elastic.co", + "name": "foo" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | +| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.login.affected_email_address | | keyword | +| google_workspace.login.challenge_method | Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | +| google_workspace.login.challenge_status | Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | +| google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | +| google_workspace.login.is_second_factor | | boolean | +| google_workspace.login.is_suspicious | | boolean | +| google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long | +| google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | +| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| organization.id | Unique identifier for the organization. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +### Admin + +This is the `admin` dataset. + +An example event for `admin` looks as following: + +```json +{ + "@timestamp": "2022-02-02T12:23:57.000Z", + "agent": { + "ephemeral_id": "68cf8bd1-0ff1-4c77-a4e7-64ab24882a9c", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.admin", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "CHANGE_APPLICATION_SETTING", + "agent_id_status": "verified", + "category": [ + "iam", + "configuration" + ], + "created": "2022-02-03T12:23:57.797Z", + "dataset": "google_workspace.admin", + "id": "1", + "ingested": "2022-02-03T12:23:58Z", + "provider": "admin", + "type": [ + "change" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "admin": { + "application": { + "edition": "basic", + "name": "drive" + }, + "group": { + "email": "group@example.com" + }, + "new_value": "new", + "old_value": "old", + "org_unit": { + "name": "org" + }, + "setting": { + "name": "setting" + } + }, + "event": { + "type": "APPLICATION_SETTINGS" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "group": { + "domain": "example.com", + "name": "group" + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-admin" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo", + "target": { + "group": { + "domain": "example.com", + "name": "group" + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | +| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.admin.alert.name | The alert name. | keyword | +| google_workspace.admin.api.client.name | The API client name. | keyword | +| google_workspace.admin.api.scopes | The API scopes. | keyword | +| google_workspace.admin.application.asp_id | The application specific password ID. | keyword | +| google_workspace.admin.application.edition | The Google Workspace edition. | keyword | +| google_workspace.admin.application.enabled | The enabled application. | keyword | +| google_workspace.admin.application.id | The application ID. | keyword | +| google_workspace.admin.application.licences_order_number | Order number used to redeem licenses. | keyword | +| google_workspace.admin.application.licences_purchased | Number of licences purchased. | long | +| google_workspace.admin.application.name | The application's name. | keyword | +| google_workspace.admin.application.package_id | The mobile application package ID. | keyword | +| google_workspace.admin.bulk_upload.failed | Number of failed records in bulk upload operation. | long | +| google_workspace.admin.bulk_upload.total | Number of total records in bulk upload operation. | long | +| google_workspace.admin.chrome_licenses.allowed | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | +| google_workspace.admin.chrome_licenses.enabled | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | +| google_workspace.admin.chrome_os.session_type | Chrome OS session type. | keyword | +| google_workspace.admin.device.command_details | Command details. | keyword | +| google_workspace.admin.device.id | | keyword | +| google_workspace.admin.device.serial_number | Device serial number. | keyword | +| google_workspace.admin.device.type | Device type. | keyword | +| google_workspace.admin.distribution.entity.name | The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | +| google_workspace.admin.distribution.entity.type | The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | +| google_workspace.admin.domain.alias | The domain alias. | keyword | +| google_workspace.admin.domain.name | The primary domain name. | keyword | +| google_workspace.admin.domain.secondary_name | The secondary domain name. | keyword | +| google_workspace.admin.email.log_search_filter.end_date | The log search filter's ending date. | date | +| google_workspace.admin.email.log_search_filter.message_id | The log search filter's email message ID. | keyword | +| google_workspace.admin.email.log_search_filter.recipient.ip | The log search filter's email recipient's IP address. | ip | +| google_workspace.admin.email.log_search_filter.recipient.value | The log search filter's email recipient. | keyword | +| google_workspace.admin.email.log_search_filter.sender.ip | The log search filter's email sender's IP address. | ip | +| google_workspace.admin.email.log_search_filter.sender.value | The log search filter's email sender. | keyword | +| google_workspace.admin.email.log_search_filter.start_date | The log search filter's start date. | date | +| google_workspace.admin.email.quarantine_name | The name of the quarantine. | keyword | +| google_workspace.admin.email_dump.include_deleted | Indicates if deleted emails are included in the export. | boolean | +| google_workspace.admin.email_dump.package_content | The contents of the mailbox package. | keyword | +| google_workspace.admin.email_dump.query | The search query used for the dump. | keyword | +| google_workspace.admin.email_monitor.dest_email | The destination address of the email monitor. | keyword | +| google_workspace.admin.email_monitor.level.chat | The chat email monitor level. | keyword | +| google_workspace.admin.email_monitor.level.draft | The draft email monitor level. | keyword | +| google_workspace.admin.email_monitor.level.incoming | The incoming email monitor level. | keyword | +| google_workspace.admin.email_monitor.level.outgoing | The outgoing email monitor level. | keyword | +| google_workspace.admin.field | The name of the field. | keyword | +| google_workspace.admin.gateway.name | Gateway name. Present on some chat settings. | keyword | +| google_workspace.admin.group.allowed_list | Names of allow-listed groups. | keyword | +| google_workspace.admin.group.email | The group's primary email address. | keyword | +| google_workspace.admin.group.priorities | Group priorities. | keyword | +| google_workspace.admin.info_type | This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | +| google_workspace.admin.managed_configuration | The name of the managed configuration. | keyword | +| google_workspace.admin.mdm.token | The MDM vendor enrollment token. | keyword | +| google_workspace.admin.mdm.vendor | The MDM vendor's name. | keyword | +| google_workspace.admin.mobile.action.id | The mobile device action's ID. | keyword | +| google_workspace.admin.mobile.action.type | The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword | +| google_workspace.admin.mobile.certificate.name | The mobile certificate common name. | keyword | +| google_workspace.admin.mobile.company_owned_devices | The number of devices a company owns. | long | +| google_workspace.admin.new_value | The new value for the setting. | keyword | +| google_workspace.admin.non_featured_services_selection | Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED | keyword | +| google_workspace.admin.oauth2.application.id | OAuth2 application ID. | keyword | +| google_workspace.admin.oauth2.application.name | OAuth2 application name. | keyword | +| google_workspace.admin.oauth2.application.type | OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword | +| google_workspace.admin.oauth2.service.name | OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword | +| google_workspace.admin.old_value | The old value for the setting. | keyword | +| google_workspace.admin.org_unit.full | The org unit full path including the root org unit name. | keyword | +| google_workspace.admin.org_unit.name | The organizational unit name. | keyword | +| google_workspace.admin.print_server.name | The name of the print server. | keyword | +| google_workspace.admin.printer.name | The name of the printer. | keyword | +| google_workspace.admin.privilege.name | Privilege name. | keyword | +| google_workspace.admin.product.name | The product name. | keyword | +| google_workspace.admin.product.sku | The product SKU. | keyword | +| google_workspace.admin.request.id | The request ID. | keyword | +| google_workspace.admin.resource.id | The name of the resource identifier. | keyword | +| google_workspace.admin.role.id | Unique identifier for this role privilege. | keyword | +| google_workspace.admin.role.name | The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings | keyword | +| google_workspace.admin.rule.name | The rule name. | keyword | +| google_workspace.admin.service.name | The service name. | keyword | +| google_workspace.admin.setting.description | The setting name. | keyword | +| google_workspace.admin.setting.name | The setting name. | keyword | +| google_workspace.admin.url.name | The website name. | keyword | +| google_workspace.admin.user.birthdate | The user's birth date. | date | +| google_workspace.admin.user.email | The user's primary email address. | keyword | +| google_workspace.admin.user.nickname | The user's nickname. | keyword | +| google_workspace.admin.user_defined_setting.name | The name of the user-defined setting. | keyword | +| google_workspace.admin.verification_method | Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | +| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.name | Name given by operators to sections of their network. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +### Drive + +This is the `drive` dataset. + +An example event for `drive` looks as following: + +```json +{ + "@timestamp": "2022-02-02T12:24:50.000Z", + "agent": { + "ephemeral_id": "3160d231-025f-4e24-9581-72458c960fca", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.drive", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "add_to_folder", + "agent_id_status": "verified", + "category": [ + "file" + ], + "created": "2022-02-03T12:24:50.101Z", + "dataset": "google_workspace.drive", + "id": "1", + "ingested": "2022-02-03T12:24:51Z", + "provider": "drive", + "type": [ + "change" + ] + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "billable": false, + "destination_folder_id": "1234", + "destination_folder_title": "folder title", + "file": { + "id": "1234", + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "originating_app_id": "1234", + "primary_event": true, + "visibility": "people_with_link" + }, + "event": { + "type": "access" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-drive" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | +| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.drive.added_role | Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.billable | Whether this activity is billable. | boolean | +| google_workspace.drive.destination_folder_id | | keyword | +| google_workspace.drive.destination_folder_title | | keyword | +| google_workspace.drive.file.id | | keyword | +| google_workspace.drive.file.owner.email | | keyword | +| google_workspace.drive.file.owner.is_shared_drive | Boolean flag denoting whether owner is a shared drive. | boolean | +| google_workspace.drive.file.type | Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.membership_change_type | Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.new_value | When a setting or property of the file changes, the new value for it will appear here. | keyword | +| google_workspace.drive.old_value | When a setting or property of the file changes, the old value for it will appear here. | keyword | +| google_workspace.drive.old_visibility | When visibility changes, this holds the old value. | keyword | +| google_workspace.drive.originating_app_id | The Google Cloud Project ID of the application that performed the action. | keyword | +| google_workspace.drive.primary_event | Whether this is a primary event. A single user action in Drive may generate several events. | boolean | +| google_workspace.drive.removed_role | Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.shared_drive_id | The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. | keyword | +| google_workspace.drive.shared_drive_settings_change_type | Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.sheets_import_range_recipient_doc | Doc ID of the recipient of a sheets import range. | keyword | +| google_workspace.drive.source_folder_id | | keyword | +| google_workspace.drive.source_folder_title | | keyword | +| google_workspace.drive.target | Target user or group. | keyword | +| google_workspace.drive.target_domain | The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. | keyword | +| google_workspace.drive.visibility | Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.visibility_change | When visibility changes, this holds the new overall visibility of the file. | keyword | +| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| organization.id | Unique identifier for the organization. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + + +### Groups + +This is the `groups` dataset. + +An example event for `groups` looks as following: + +```json +{ + "@timestamp": "2022-02-02T12:25:39.000Z", + "agent": { + "ephemeral_id": "a9599f5d-49a5-4339-9e5e-484f19370712", + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0-beta1" + }, + "data_stream": { + "dataset": "google_workspace.groups", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", + "snapshot": false, + "version": "8.0.0-beta1" + }, + "event": { + "action": "change_acl_permission", + "agent_id_status": "verified", + "category": [ + "iam" + ], + "created": "2022-02-03T12:25:39.375Z", + "dataset": "google_workspace.groups", + "id": "1", + "ingested": "2022-02-03T12:25:40Z", + "provider": "groups", + "type": [ + "group", + "change" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "acl_change" + }, + "groups": { + "acl_permission": "can_add_members", + "email": "group@example.com", + "new_value": [ + "managers", + "members" + ], + "old_value": [ + "managers" + ] + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "group": { + "domain": "example.com", + "name": "group" + }, + "input": { + "type": "httpjson" + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "98.235.162.24" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, Inc." + } + }, + "ip": "98.235.162.24", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "forwarded", + "google-workspace-groups" + ], + "user": { + "domain": "bar.com", + "id": "1", + "name": "foo", + "target": { + "group": { + "domain": "example.com", + "name": "group" + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | +| google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.event.type | The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.groups.acl_permission | Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | +| google_workspace.groups.email | Group email. | keyword | +| google_workspace.groups.member.email | Member email. | keyword | +| google_workspace.groups.member.role | Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | +| google_workspace.groups.message.id | SMTP message Id of an email message. Present for moderation events. | keyword | +| google_workspace.groups.message.moderation_action | Message moderation action. Possible values are `approved` and `rejected`. | keyword | +| google_workspace.groups.new_value | New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | +| google_workspace.groups.old_value | Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | +| google_workspace.groups.setting | Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | +| google_workspace.groups.status | A status describing the output of an operation. Possible values are `failed` and `succeeded`. | keyword | +| google_workspace.groups.value | Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword | +| google_workspace.kind | The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list | keyword | +| google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| organization.id | Unique identifier for the organization. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | + diff --git a/packages/google_workspace/1.7.2/img/logo.svg b/packages/google_workspace/1.7.2/img/logo.svg new file mode 100755 index 0000000000..c06982fbad --- /dev/null +++ b/packages/google_workspace/1.7.2/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/google_workspace/1.7.2/manifest.yml b/packages/google_workspace/1.7.2/manifest.yml new file mode 100755 index 0000000000..1e94bc0bdb --- /dev/null +++ b/packages/google_workspace/1.7.2/manifest.yml @@ -0,0 +1,92 @@ +name: google_workspace +title: Google Workspace +version: 1.7.2 +release: ga +description: Collect logs from Google Workspace with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +icons: + - src: /img/logo.svg + title: logo Google + size: 32x32 + type: image/svg+xml +categories: + - security +conditions: + kibana.version: ^8.4.0 +policy_templates: + - name: google_workspace + title: Google Workspace logs + description: Collect logs from Google Workspace APIs + inputs: + - type: httpjson + vars: + - name: jwt_file + type: text + title: Jwt File + description: Specifies the path to the JWT credentials file. + multi: false + required: false + show_user: true + - name: jwt_json + type: text + title: Jwt JSON + description: | + Raw contents of the JWT file. Useful when hosting + a file along with the agent is not possible. + multi: false + required: false + show_user: true + - name: delegated_account + type: text + title: Delegated Account + description: Email of the admin user used to access the API. + multi: false + required: true + show_user: true + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + - name: http_client_timeout + type: text + title: Http Client Timeout + description: Duration of the time limit on HTTP requests. + multi: false + required: true + show_user: true + default: 60s + - name: user_key + type: text + title: User Key + description: Specifies the user key to fetch reports from. + multi: false + required: true + show_user: true + default: all + - name: interval + type: text + title: Interval + description: > + Duration between requests to the API. Google Workspace defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more at https://support.google.com/a/answer/7061566. + + multi: false + required: true + show_user: true + default: 2h + - name: api_host + type: text + title: API Host. + description: The Google Workspace API Host. The path will be automatically set. + multi: false + required: true + show_user: false + default: https://www.googleapis.com + title: "Collect admin, drive, groups, login, saml and user accounts logs (input: httpjson)" + description: "Collecting admin, drive, groups, login, saml and user accounts logs (input: httpjson)" +owner: + github: elastic/security-external-integrations diff --git a/packages/microsoft_dhcp/1.7.1/LICENSE.txt b/packages/microsoft_dhcp/1.7.1/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/microsoft_dhcp/1.7.1/changelog.yml b/packages/microsoft_dhcp/1.7.1/changelog.yml new file mode 100755 index 0000000000..919f4da030 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/changelog.yml @@ -0,0 +1,81 @@ +# newer versions go on top +- version: "1.7.1" + changes: + - description: Fix a bug in documenation with hyperlink to Microsoft website + type: enhancement + link: https://github.com/elastic/integrations/pull/4393 +- version: "1.7.0" + changes: + - description: Change host.domain to host.name to reflect the event data and then extract host.domain from the host.name + type: enhancement + link: https://github.com/elastic/integrations/pull/4280 +- version: "1.6.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3867 +- version: "1.5.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.4.2" + changes: + - description: Change event.type value from end to stop according to ECS + type: bugfix + link: https://github.com/elastic/integrations/issues/3406 +- version: "1.4.1" + changes: + - description: Format observer.mac as per ECS and add missing mappings for event.category, event.outcome, and event.type. + type: bugfix + link: https://github.com/elastic/integrations/pull/3300 +- version: "1.4.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.3.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.3.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2423 +- version: "1.2.0" + changes: + - description: Add DHCPv6 Server support + type: enhancement + link: https://github.com/elastic/integrations/pull/2473 +- version: "1.1.0" + changes: + - description: Add more event.action and event.outcome values + type: enhancement + link: https://github.com/elastic/integrations/pull/2296 +- version: "1.0.0" + changes: + - description: GA integration + type: enhancement + link: https://github.com/elastic/integrations/pull/2360 +- version: "0.2.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "0.2.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2276 +- version: "0.1.1" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1972 +- version: "0.1.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/1793 diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/microsoft_dhcp/1.7.1/data_stream/log/agent/stream/logfile.yml.hbs new file mode 100755 index 0000000000..2b61987446 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/agent/stream/logfile.yml.hbs @@ -0,0 +1,32 @@ +paths: +{{#each paths as |path i|}} + - '{{path}}' +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} +processors: +- drop_event: + when: + not: + regexp: + message: "^[0-9]+,.*" +- add_observer_metadata: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..1a5a6a3ead --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,63 @@ +--- +description: Pipeline for processing Microsoft DHCP Server logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - set: + field: event.kind + value: event + - set: + field: event.timezone + value: "{{{_conf.tz_offset}}}" + if: "ctx?._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'" + - set: + field: event.original + override: false + copy_from: message + - remove: + field: message + ignore_missing: true + - rename: + field: message + target_field: event.original + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "dhcp" }}' + if: "ctx?.log?.file?.path != null && !ctx.log.file.path.contains('V6')" + - pipeline: + name: '{{ IngestPipeline "dhcpv6" }}' + if: "ctx?.log?.file?.path != null && ctx.log.file.path.contains('V6')" + - foreach: + field: observer.mac + ignore_missing: true + processor: + gsub: + field: _ingest._value + pattern: '[:]' + replacement: '-' + - foreach: + field: observer.mac + ignore_missing: true + processor: + uppercase: + field: _ingest._value + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: + - _tmp_ + - _conf + ignore_missing: true +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - remove: + field: + - _tmp_ + - _conf diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml new file mode 100755 index 0000000000..e2ad56f413 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml @@ -0,0 +1,353 @@ +--- +## Reference document for DHCP field mapping: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) +description: Pipeline for processing Microsoft DHCP Server logs. +processors: + - csv: + field: event.original + target_fields: + - event.code + - _tmp_.date + - _tmp_.time + - message + - host.ip + - host.name + - _tmp_.mac + - user.name + - microsoft.dhcp.transaction_id + - microsoft.dhcp.result + - microsoft.dhcp.probation_time + - microsoft.dhcp.correlation_id + - microsoft.dhcp.dhc_id + - microsoft.dhcp.vendor.hex + - microsoft.dhcp.vendor.string + - microsoft.dhcp.user.hex + - microsoft.dhcp.user.string + - microsoft.dhcp.relay_agent_info + - microsoft.dhcp.dns_error_code + ignore_failure: true + - grok: + field: host.name + if: 'ctx.host?.name != null && ctx.host.name.contains(".")' + patterns: + - "%{HOSTNAME}\\.%{GREEDYDATA:host.domain}" + pattern_definitions: + "HOSTNAME": "[^.]+" + ignore_failure: true + - set: + field: _tmp_.timestamp + value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" + - date: + field: _tmp_.timestamp + formats: + - "MM/dd/yy HH:mm:ss" + timezone: "{{{event.timezone}}}" + - script: + description: Set event action, category, outcome, and type for all known event types. + lang: painless + tag: Add ECS categorization fields + params: + "00": + action: log-start + category: + - process + type: + - start + "01": + action: log-end + category: + - process + type: + - end + "02": + action: log-pause + category: + - process + type: + - change + outcome: failure + "10": + action: dhcp-new + category: + - network + type: + - allowed + - connection + "11": + action: dhcp-renew + category: + - network + type: + - allowed + - connection + "12": + action: dhcp-release + category: + - network + type: + - allowed + - connection + "13": + category: + - network + type: + - connection + "14": + category: + - network + type: + - connection + - denied + outcome: failure + "15": + action: dhcp-deny + category: + - network + type: + - connection + - denied + outcome: failure + "16": + action: dhcp-delete + category: + - network + type: + - connection + "17": + action: dhcp-expire + category: + - network + type: + - connection + "18": + action: dhcp-expire + category: + - network + type: + - connection + "20": + category: + - network + type: + - allowed + - connection + "21": + category: + - network + type: + - allowed + - connection + "22": + category: + - network + type: + - connection + - denied + outcome: failure + "23": + category: + - network + type: + - connection + - denied + outcome: failure + "24": + action: ip-cleanup-start + category: + - process + type: + - start + "25": + action: ip-cleanup-end + category: + - process + type: + - start + "30": + action: dhcp-dns-update + category: + - network + type: + - connection + "31": + action: dhcp-dns-update + category: + - network + type: + - connection + outcome: failure + "32": + action: dhcp-dns-update + category: + - network + type: + - connection + "33": + category: + - network + type: + - connection + outcome: failure + "34": + action: dhcp-dns-update + category: + - network + type: + - connection + outcome: failure + "35": + action: dhcp-dns-update + category: + - network + type: + - connection + - denied + outcome: failure + "36": + category: + - network + type: + - connection + - denied + outcome: failure + "50": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + outcome: failure + "51": + action: rogue-server-detection + category: + - authentication + - network + type: + - allowed + - connection + "52": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "53": + action: rogue-server-detection + category: + - authentication + - network + type: + - allowed + - connection + "54": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + - denied + outcome: failure + "55": + action: rogue-server-detection + category: + - authentication + - network + type: + - allowed + - connection + "56": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + - denied + outcome: failure + "57": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "58": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + outcome: failure + "59": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + outcome: failure + "60": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "61": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "62": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "63": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + "64": + action: rogue-server-detection + category: + - authentication + - network + type: + - connection + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - set: + field: event.outcome + value: success + if: ctx?.event?.outcome == null + - gsub: + field: _tmp_.mac + pattern: '(..)(?!$)' + replacement: '$1-' + ignore_missing: true + - uppercase: + field: _tmp_.mac + ignore_missing: true + - append: + if: ctx?._tmp_?.mac != null + field: host.mac + value: '{{{_tmp_.mac}}}' +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml new file mode 100755 index 0000000000..ff848a28a8 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml @@ -0,0 +1,252 @@ +--- +description: Pipeline for processing Microsoft DHCPv6 Server logs. +processors: + - csv: + field: event.original + target_fields: + - event.code + - _tmp_.date + - _tmp_.time + - message + - host.ip + - host.name + - microsoft.dhcp.error_code + - microsoft.dhcp.duid.length + - microsoft.dhcp.duid.hex + - microsoft.dhcp.user.string + - microsoft.dhcp.dhc_id + - microsoft.dhcp.subnet_prefix + ignore_failure: true + - grok: + field: host.name + if: 'ctx.host?.name != null && ctx.host.name.contains(".")' + patterns: + - "%{HOSTNAME}\\.%{GREEDYDATA:host.domain}" + pattern_definitions: + "HOSTNAME": "[^.]+" + ignore_failure: true + - set: + field: _tmp_.timestamp + value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" + - date: + field: _tmp_.timestamp + formats: + - "MM/dd/yy HH:mm:ss" + timezone: "{{{event.timezone}}}" + - script: + description: Set event action, category, outcome, and type for all known event types. + lang: painless + tag: Add ECS categorization fields + params: + "11000": + action: dhcpv6-solicit + category: + - network + type: + - connection + - protocol + "11001": + action: dhcpv6-advertise + category: + - network + type: + - connection + - protocol + "11002": + action: dhcpv6-request + category: + - network + type: + - connection + - protocol + "11003": + action: dhcpv6-confirm + category: + - network + type: + - connection + - protocol + "11004": + action: dhcpv6-renew + category: + - network + type: + - connection + - protocol + "11005": + action: dhcpv6-rebind + category: + - network + type: + - connection + - protocol + "11006": + action: dhcpv6-decline + category: + - network + type: + - connection + - protocol + outcome: failure + "11007": + action: dhcpv6-release + category: + - network + type: + - connection + "11008": + action: dhcpv6-info-request + category: + - network + type: + - connection + "11009": + action: dhcpv6-scope-full + category: + - network + type: + - connection + "11010": + action: log-start + category: + - process + type: + - start + "11011": + action: log-stop + category: + - process + type: + - end + "11012": + action: log-pause + category: + - process + type: + - change + "11013": + action: log-file + category: + - process + type: + - info + "11014": + action: dhcpv6-bad-address + category: + - network + type: + - connection + outcome: failure + "11015": + action: dhcpv6-address-in-use + category: + - network + type: + - connection + "11016": + action: dhcpv6-client-deleted + category: + - network + type: + - connection + "11017": + action: ipv6-dns-record-not-deleted + category: + - network + type: + - connection + "11018": + action: dhcpv6-expired + category: + - network + type: + - connection + "11019": + action: dhcpv6-lease-expired-deleted + category: + - network + type: + - connection + "11020": + action: dhcpv6-cleanup-start + category: + - process + type: + - start + "11021": + action: dhcpv6-cleanup-end + category: + - process + type: + - end + "11022": + action: ipv6-dns-update-request + category: + - network + type: + - connection + - start + "11023": + action: ipv6-dns-update-failed + category: + - network + type: + - connection + - end + outcome: failure + "11024": + action: ipv6-dns-update-successful + category: + - network + type: + - connection + - end + "11028": + action: ipv6-dns-update-request-queue-exceeded + category: + - network + type: + - connection + - end + outcome: failure + "11029": + action: ipv6-dns-update-request-failed + category: + - network + type: + - connection + - end + outcome: failure + "11030": + action: dhcpv6-stateless-clients-pruged + category: + - process + type: + - change + "11031": + action: dhcpv6-stateless-clients-expired + category: + - process + type: + - change + "11032": + action: dhcpv6-stateless-client-info-request + category: + - network + type: + - info + source: |- + if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { + return; + } + def hm = new HashMap(params[ctx.event.code]); + hm.forEach((k, v) -> ctx.event[k] = v); + - set: + field: event.outcome + value: success + if: ctx?.event?.outcome == null +on_failure: + - set: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/agent.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..dbed2e68dc --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/agent.yml @@ -0,0 +1,4 @@ +- name: input.type + type: keyword +- name: log.offset + type: long diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/base-fields.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..096db185c7 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: microsoft_dhcp +- name: event.dataset + type: constant_keyword + description: Event dataset + value: microsoft_dhcp.log diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/ecs.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..dc576f8d62 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/ecs.yml @@ -0,0 +1,124 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Name of the domain of which the host is a member. + For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + name: host.domain + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. + If the event wasn't read from a log file, do not populate this field. + name: log.file.path + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/fields.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/fields.yml new file mode 100755 index 0000000000..3d7eebb86c --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/fields/fields.yml @@ -0,0 +1,63 @@ +- name: microsoft.dhcp + type: group + fields: + - name: transaction_id + type: keyword + description: | + The DHCP transaction ID. + - name: result + type: keyword + description: | + The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. + - name: probation_time + type: keyword + description: | + The probation time before lease ends on specific IP. + - name: correlation_id + type: keyword + description: | + The NAP correlation ID related to the client/server transaction. + - name: dhc_id + type: keyword + description: | + The related DHCID (DHC DNS record). + - name: vendor.hex + type: keyword + description: | + Hex representation of the vendor. + - name: vendor.string + type: keyword + description: | + String representation of the vendor. + - name: user.hex + type: keyword + description: | + Hex representation of the user. + - name: user.string + type: keyword + description: | + String representation of the user. + - name: relay_agent_info + type: keyword + description: | + Information about DHCP relay agent used for the DHCP request. + - name: dns_error_code + type: keyword + description: | + DNS error code communicated to client. + - name: error_code + type: keyword + description: | + DHCP server error code. + - name: duid.length + type: keyword + description: | + The length of the DUID field. + - name: duid.hex + type: keyword + description: | + The related DHCP Unique Identifier (DUID) for the host (DHCPv6). + - name: subnet_prefix + type: keyword + description: | + The number of bits for the subnet prefix. diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/manifest.yml b/packages/microsoft_dhcp/1.7.1/data_stream/log/manifest.yml new file mode 100755 index 0000000000..092f44f2b0 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/manifest.yml @@ -0,0 +1,50 @@ +title: "Microsoft DHCP Logs" +type: logs +streams: + - input: logfile + template_path: logfile.yml.hbs + title: DHCP Logs + description: Collects Microsoft DHCP logs. + vars: + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: paths + type: text + title: Paths + multi: true + show_user: true + default: + - 'C:\Windows\System32\DHCP\DhcpSrvLog-*.log' + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - microsoft_dhcp + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/microsoft_dhcp/1.7.1/data_stream/log/sample_event.json b/packages/microsoft_dhcp/1.7.1/data_stream/log/sample_event.json new file mode 100755 index 0000000000..c56a4fede8 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/data_stream/log/sample_event.json @@ -0,0 +1,73 @@ +{ + "@timestamp": "2001-01-01T01:01:01.000-05:00", + "agent": { + "ephemeral_id": "268da6cf-879e-4478-b666-96c44fba3109", + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "data_stream": { + "dataset": "microsoft_dhcp.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "dhcp-dns-update", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "35", + "dataset": "microsoft_dhcp.log", + "ingested": "2022-09-26T06:06:08Z", + "kind": "event", + "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", + "outcome": "failure", + "timezone": "America/New_York", + "type": [ + "connection", + "denied" + ] + }, + "host": { + "domain": "test.com", + "ip": "192.168.2.1", + "mac": [ + "00-00-00-00-00-00" + ], + "name": "host.test.com" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-dhcp.log" + }, + "offset": 2407 + }, + "message": "DNS update request failed", + "observer": { + "hostname": "docker-fleet-agent", + "ip": [ + "172.23.0.4" + ], + "mac": [ + "02-42-AC-17-00-04" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "microsoft_dhcp" + ] +} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.7.1/docs/README.md b/packages/microsoft_dhcp/1.7.1/docs/README.md new file mode 100755 index 0000000000..9dd54e2d87 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/docs/README.md @@ -0,0 +1,146 @@ +# Microsoft DHCP + +This integration collects logs and metrics from Microsoft DHCP logs. + +## Compatibility + +This integration has been made to support the DHCP log format from Windows Server 2008 and later. + +### Logs + +Ingest logs from Microsoft DHCP Server, by default logged with the filename format: +`%windir%\System32\DHCP\DhcpSrvLog-*.log` + +Logs may also be ingested from Microsoft DHCPv6 Server, by default logged with the filename format: +`%windir%\System32\DHCP\DhcpV6SrvLog-*.log` + +Relevant documentation for Microsoft DHCP can be found on [this](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10)) location. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2001-01-01T01:01:01.000-05:00", + "agent": { + "ephemeral_id": "268da6cf-879e-4478-b666-96c44fba3109", + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "data_stream": { + "dataset": "microsoft_dhcp.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "3355f43c-4984-4a3f-b93d-56ac8c865c8c", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "dhcp-dns-update", + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "35", + "dataset": "microsoft_dhcp.log", + "ingested": "2022-09-26T06:06:08Z", + "kind": "event", + "original": "35,01/01/01,01:01:01,DNS update request failed,192.168.2.1,host.test.com,000000000000,", + "outcome": "failure", + "timezone": "America/New_York", + "type": [ + "connection", + "denied" + ] + }, + "host": { + "domain": "test.com", + "ip": "192.168.2.1", + "mac": [ + "00-00-00-00-00-00" + ], + "name": "host.test.com" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-dhcp.log" + }, + "offset": 2407 + }, + "message": "DNS update request failed", + "observer": { + "hostname": "docker-fleet-agent", + "ip": [ + "172.23.0.4" + ], + "mac": [ + "02-42-AC-17-00-04" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "microsoft_dhcp" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| input.type | | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| microsoft.dhcp.correlation_id | The NAP correlation ID related to the client/server transaction. | keyword | +| microsoft.dhcp.dhc_id | The related DHCID (DHC DNS record). | keyword | +| microsoft.dhcp.dns_error_code | DNS error code communicated to client. | keyword | +| microsoft.dhcp.duid.hex | The related DHCP Unique Identifier (DUID) for the host (DHCPv6). | keyword | +| microsoft.dhcp.duid.length | The length of the DUID field. | keyword | +| microsoft.dhcp.error_code | DHCP server error code. | keyword | +| microsoft.dhcp.probation_time | The probation time before lease ends on specific IP. | keyword | +| microsoft.dhcp.relay_agent_info | Information about DHCP relay agent used for the DHCP request. | keyword | +| microsoft.dhcp.result | The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. | keyword | +| microsoft.dhcp.subnet_prefix | The number of bits for the subnet prefix. | keyword | +| microsoft.dhcp.transaction_id | The DHCP transaction ID. | keyword | +| microsoft.dhcp.user.hex | Hex representation of the user. | keyword | +| microsoft.dhcp.user.string | String representation of the user. | keyword | +| microsoft.dhcp.vendor.hex | Hex representation of the vendor. | keyword | +| microsoft.dhcp.vendor.string | String representation of the vendor. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/microsoft_dhcp/1.7.1/img/logo.svg b/packages/microsoft_dhcp/1.7.1/img/logo.svg new file mode 100755 index 0000000000..5334aa7ca6 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.7.1/manifest.yml b/packages/microsoft_dhcp/1.7.1/manifest.yml new file mode 100755 index 0000000000..5f9dee63c0 --- /dev/null +++ b/packages/microsoft_dhcp/1.7.1/manifest.yml @@ -0,0 +1,27 @@ +format_version: 1.0.0 +name: microsoft_dhcp +title: Microsoft DHCP +version: "1.7.1" +license: basic +description: Collect logs from Microsoft DHCP with Elastic Agent. +type: integration +categories: + - network +release: ga +conditions: + kibana.version: ^7.14.0 || ^8.0.0 +icons: + - src: /img/logo.svg + title: Microsoft logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: microsoft_dhcp + title: Microsoft DHCP + description: Collect Microsoft DHCP logs. + inputs: + - type: logfile + title: Logs from file + description: Collect DHCP logs from file. +owner: + github: elastic/security-external-integrations diff --git a/packages/netflow/2.2.5/LICENSE.txt b/packages/netflow/2.2.5/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/netflow/2.2.5/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/netflow/2.2.5/changelog.yml b/packages/netflow/2.2.5/changelog.yml new file mode 100755 index 0000000000..743f6dd423 --- /dev/null +++ b/packages/netflow/2.2.5/changelog.yml @@ -0,0 +1,147 @@ +# newer versions go on top +- version: "2.2.5" + changes: + - description: Fix invalid Kibana search indexRefName reference. + type: bugfix + link: https://github.com/elastic/integrations/issues/2572 +- version: "2.2.4" + changes: + - description: Remove duplicate field. + type: bugfix + link: https://github.com/elastic/integrations/issues/4327 +- version: "2.2.3" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "2.2.2" + changes: + - description: Remove unused visualizations + type: enhancement + link: https://github.com/elastic/integrations/issues/3975 +- version: "2.2.1" + changes: + - description: Added link to Netflow documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/3002 +- version: "2.2.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3868 +- version: "2.1.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "2.0.1" + changes: + - description: Fix invalid value in sample event + type: bugfix + link: https://github.com/elastic/integrations/pull/3334 +- version: "2.0.0" + changes: + - description: Migrate map visualisation from tile_map to map object + type: enhancement + link: https://github.com/elastic/integrations/pull/3263 +- version: "1.5.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.4.2" + changes: + - description: Replace invalid field value + type: enhancement + link: https://github.com/elastic/integrations/pull/3096 +- version: "1.4.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2424 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2220 +- version: "1.2.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2098 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1973 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1833 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1667 +- version: "1.1.3" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1489 +- version: '1.1.2' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1396 +- version: "1.1.1" + changes: + - description: Escape special characters in docs + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1218 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1218 +- version: "0.4.1" + changes: + - description: Use `wildcard` field type for the relevant ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/1179 +- version: "0.4.0" + changes: + - description: update to ECS 1.10.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1062 +- version: "0.3.9" + changes: + - description: add pipeline tests and move ecs.version set the to ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/1006 +- version: "0.3.8" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/857 +- version: "0.1.0" + changes: + - description: Change field type of `netflow.application_category_nam` and `netflow.application_sub_category_name` to keyword to ensure there are no type conflicts between vendors. + type: enhancement + link: https://github.com/elastic/integrations/pull/697 + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/23 diff --git a/packages/netflow/2.2.5/data_stream/log/agent/stream/netflow.yml.hbs b/packages/netflow/2.2.5/data_stream/log/agent/stream/netflow.yml.hbs new file mode 100755 index 0000000000..45be18a81e --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/agent/stream/netflow.yml.hbs @@ -0,0 +1,31 @@ +protocols: [v1, v5, v6, v7, v8, v9, ipfix] +host: '{{host}}:{{port}}' +max_message_size: '{{max_message_size}}' +expiration_timeout: '{{expiration_timeout}}' +queue_size: {{queue_size}} +{{#if timeout}} +timeout: '{{timeout}}' +{{/if}} +{{#if read_buffer}} +read_buffer: '{{read_buffer}}' +{{/if}} +{{#if custom_definitions}} +custom_definitions: +{{#each custom_definitions}} +- '{{this}}' +{{/each}} +{{/if}} +{{#if detect_sequence_reset}} +detect_sequence_reset: {{detect_sequence_reset}} +{{/if}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/netflow/2.2.5/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/netflow/2.2.5/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..22e867908d --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for NetFlow + +processors: + - set: + field: ecs.version + value: '8.4.0' + - convert: + field: network.iana_number + type: string + ignore_missing: true + ignore_failure: true + + - set: + field: event.category + value: + - network + - session + if: 'ctx.event?.category != null && ctx.event?.category == "network_session"' + + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/netflow/2.2.5/data_stream/log/fields/agent.yml b/packages/netflow/2.2.5/data_stream/log/fields/agent.yml new file mode 100755 index 0000000000..e0b771d54f --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/fields/agent.yml @@ -0,0 +1,100 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/netflow/2.2.5/data_stream/log/fields/base-fields.yml b/packages/netflow/2.2.5/data_stream/log/fields/base-fields.yml new file mode 100755 index 0000000000..008a46bbbb --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: netflow +- name: event.dataset + type: constant_keyword + description: Event dataset + value: netflow.log diff --git a/packages/netflow/2.2.5/data_stream/log/fields/ecs.yml b/packages/netflow/2.2.5/data_stream/log/fields/ecs.yml new file mode 100755 index 0000000000..18a03cfc03 --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/fields/ecs.yml @@ -0,0 +1,1620 @@ +- description: |- + Date/time when the event originated. + This is the date/time extracted from the event, typically representing when the event was generated by the source. + If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. + Required field for all events. + name: '@timestamp' + type: date +- description: |- + Ephemeral identifier of this agent (if one exists). + This id normally changes across restarts, but `agent.id` does not. + name: agent.ephemeral_id + type: keyword +- description: |- + Unique identifier of this agent (if one exists). + Example: For Beats this would be beat.id. + name: agent.id + type: keyword +- description: |- + Custom name of the agent. + This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. + name: agent.name + type: keyword +- description: |- + Type of the agent. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + name: agent.type + type: keyword +- description: Version of the agent. + name: agent.version + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: as.organization.name + type: keyword +- description: |- + Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: client.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: Bytes sent from the client to the server. + name: client.bytes + type: long +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Name of the continent. + name: client.geo.continent_name + type: keyword +- description: Country ISO code. + name: client.geo.country_iso_code + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: client.geo.name + type: keyword +- description: Region ISO code. + name: client.geo.region_iso_code + type: keyword +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: |- + MAC address of the client. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: client.mac + type: keyword +- description: |- + Translated IP of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions (e.g. internal client to internet). + Typically connections traversing load balancers, firewalls, or routers. + name: client.nat.port + type: long +- description: Packets sent from the client to the server. + name: client.packets + type: long +- description: Port of the client. + name: client.port + type: long +- description: |- + The highest registered client domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: client.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: client.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.domain + type: keyword +- description: User email address. + name: client.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: client.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: client.user.group.id + type: keyword +- description: Name of the group. + name: client.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: client.user.hash + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: client.user.name + type: keyword +- description: |- + The cloud account or organization id used to identify different entities in a multi-tenant environment. + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + name: cloud.account.id + type: keyword +- description: Availability zone in which this host, resource, or service is located. + name: cloud.availability_zone + type: keyword +- description: Instance ID of the host machine. + name: cloud.instance.id + type: keyword +- description: Instance name of the host machine. + name: cloud.instance.name + type: keyword +- description: Machine type of the host machine. + name: cloud.machine.type + type: keyword +- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + name: cloud.provider + type: keyword +- description: Region in which this host, resource, or service is located. + name: cloud.region + type: keyword +- description: Unique container id. + name: container.id + type: keyword +- description: Name of the image the container was built on. + name: container.image.name + type: keyword +- description: Container image tags. + name: container.image.tag + normalize: + - array + type: keyword +- description: Image labels. + name: container.labels + type: object +- description: Container name. + name: container.name + type: keyword +- description: Runtime managing this container. + name: container.runtime + type: keyword +- description: |- + Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: |- + The domain name of the destination system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + MAC address of the destination. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: destination.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: destination.nat.ip + type: ip +- description: |- + Port the source session is translated to by NAT Device. + Typically used with load balancers, firewalls, or routers. + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: |- + The highest registered destination domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: destination.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: destination.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.domain + type: keyword +- description: User email address. + name: destination.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: destination.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: destination.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: destination.user.group.id + type: keyword +- description: Name of the group. + name: destination.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: destination.user.hash + type: keyword +- description: Unique identifier of the user. + name: destination.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: destination.user.name + type: keyword +- description: |- + An array containing an object for each answer section returned by the server. + The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. + Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. + name: dns.answers + normalize: + - array + type: object +- description: The class of DNS data contained in this resource record. + name: dns.answers.class + type: keyword +- description: |- + The data describing the resource. + The meaning of this data depends on the type and class of the resource record. + name: dns.answers.data + type: keyword +- description: |- + The domain name to which this resource record pertains. + If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. + name: dns.answers.name + type: keyword +- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. + name: dns.answers.ttl + type: long +- description: The type of data contained in this resource record. + name: dns.answers.type + type: keyword +- description: Array of 2 letter DNS header flags. + name: dns.header_flags + normalize: + - array + type: keyword +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + name: dns.id + type: keyword +- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. + name: dns.op_code + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: |- + The name being queried. + If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. + name: dns.question.name + type: keyword +- description: |- + The highest registered domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: dns.question.registered_domain + type: keyword +- description: |- + The subdomain is all of the labels under the registered_domain. + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. + name: dns.question.subdomain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: dns.question.top_level_domain + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: |- + Array containing all IPs seen in `answers.data`. + The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. + name: dns.resolved_ip + normalize: + - array + type: ip +- description: The DNS response code. + name: dns.response_code + type: keyword +- description: |- + The type of DNS event captured, query or answer. + If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. + If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. + name: dns.type + type: keyword +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: Unique identifier for the error. + name: error.id + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: The stack trace of this error in plain text. + multi_fields: + - name: text + type: match_only_text + name: error.stack_trace + type: wildcard +- description: The type of the error, for example the class name of the exception. + name: error.type + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: |- + Duration of the event in nanoseconds. + If event.start and event.end are known this value should be the difference between the end and start time. + name: event.duration + type: long +- description: event.end contains the date when the event ended or when the activity was last observed. + name: event.end + type: date +- description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + name: event.hash + type: keyword +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + Source of the event. + Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). + name: event.provider + type: keyword +- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. + name: event.risk_score + type: float +- description: |- + Normalized risk score or priority of the event, on a scale of 0 to 100. + This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. + name: event.risk_score_norm + type: float +- description: |- + Sequence number of the event. + The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. + name: event.sequence + type: long +- description: |- + The numeric severity of the event according to your event source. + What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + name: event.severity + type: long +- description: event.start contains the date when the event started or when the activity was first observed. + name: event.start + type: date +- description: |- + This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + name: event.timezone + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + Last time the file was accessed. + Note that not all filesystems keep track of access time. + name: file.accessed + type: date +- description: |- + File creation time. + Note that not all filesystems store the creation time. + name: file.created + type: date +- description: |- + Last time the file attributes or metadata changed. + Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + name: file.ctime + type: date +- description: Device that is the source of the file. + name: file.device + type: keyword +- description: Directory where the file is located. It should include the drive letter, when appropriate. + name: file.directory + type: keyword +- description: |- + File extension, excluding the leading dot. + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: file.extension + type: keyword +- description: Primary group ID (GID) of the file. + name: file.gid + type: keyword +- description: Primary group name of the file. + name: file.group + type: keyword +- description: MD5 hash. + name: file.hash.md5 + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: SHA256 hash. + name: file.hash.sha256 + type: keyword +- description: SHA512 hash. + name: file.hash.sha512 + type: keyword +- description: Inode representing the file in the filesystem. + name: file.inode + type: keyword +- description: Mode of the file in octal representation. + name: file.mode + type: keyword +- description: Last time the file content was modified. + name: file.mtime + type: date +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: File owner's username. + name: file.owner + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + File size in bytes. + Only relevant when `file.type` is "file". + name: file.size + type: long +- description: Target path for symlinks. + multi_fields: + - name: text + type: match_only_text + name: file.target_path + type: keyword +- description: File type (file, dir, or symlink). + name: file.type + type: keyword +- description: The user ID (UID) or security identifier (SID) of the file owner. + name: file.uid + type: keyword +- description: City name. + name: geo.city_name + type: keyword +- description: Name of the continent. + name: geo.continent_name + type: keyword +- description: Country ISO code. + name: geo.country_iso_code + type: keyword +- description: Country name. + name: geo.country_name + type: keyword +- description: Longitude and latitude. + name: geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: geo.name + type: keyword +- description: Region ISO code. + name: geo.region_iso_code + type: keyword +- description: Region name. + name: geo.region_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: group.id + type: keyword +- description: Name of the group. + name: group.name + type: keyword +- description: MD5 hash. + name: hash.md5 + type: keyword +- description: SHA1 hash. + name: hash.sha1 + type: keyword +- description: SHA256 hash. + name: hash.sha256 + type: keyword +- description: SHA512 hash. + name: hash.sha512 + type: keyword +- description: Operating system architecture. + name: host.architecture + type: keyword +- description: City name. + name: host.geo.city_name + type: keyword +- description: Name of the continent. + name: host.geo.continent_name + type: keyword +- description: Country ISO code. + name: host.geo.country_iso_code + type: keyword +- description: Country name. + name: host.geo.country_name + type: keyword +- description: Longitude and latitude. + name: host.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: host.geo.name + type: keyword +- description: Region ISO code. + name: host.geo.region_iso_code + type: keyword +- description: Region name. + name: host.geo.region_name + type: keyword +- description: |- + Hostname of the host. + It normally contains what the `hostname` command returns on the host machine. + name: host.hostname + type: keyword +- description: |- + Unique host id. + As hostname is not always unique, use values that are meaningful in your environment. + Example: The current usage of `beat.name`. + name: host.id + type: keyword +- description: Host ip addresses. + name: host.ip + normalize: + - array + type: ip +- description: |- + Host MAC addresses. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: host.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Name of the host. + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + name: host.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: host.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: host.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: host.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: host.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: host.os.platform + type: keyword +- description: Operating system version as a raw string. + name: host.os.version + type: keyword +- description: |- + Type of host. + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + name: host.type + type: keyword +- description: Seconds the host has been up. + name: host.uptime + type: long +- description: Size in bytes of the request body. + name: http.request.body.bytes + type: long +- description: The full HTTP request body. + multi_fields: + - name: text + type: match_only_text + name: http.request.body.content + type: wildcard +- description: Total size in bytes of the request (body and headers). + name: http.request.bytes + type: long +- description: |- + HTTP request method. + The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. + name: http.request.method + type: keyword +- description: Referrer for this HTTP request. + name: http.request.referrer + type: keyword +- description: Size in bytes of the response body. + name: http.response.body.bytes + type: long +- description: The full HTTP response body. + multi_fields: + - name: text + type: match_only_text + name: http.response.body.content + type: wildcard +- description: Total size in bytes of the response (body and headers). + name: http.response.bytes + type: long +- description: HTTP response status code. + name: http.response.status_code + type: long +- description: HTTP version. + name: http.version + type: keyword +- description: |- + Custom key/value pairs. + Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. + Example: `docker` and `k8s` labels. + name: labels + type: object +- description: |- + Original log level of the log event. + If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). + Some examples are `warn`, `err`, `i`, `informational`. + name: log.level + type: keyword +- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + name: log.logger + type: keyword +- description: The line number of the file containing the source code which originated the log event. + name: log.origin.file.line + type: long +- description: |- + The name of the file containing the source code which originated the log event. + Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + name: log.origin.file.name + type: keyword +- description: The name of the function or method which originated the log event. + name: log.origin.function + type: keyword +- description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + name: log.syslog + type: object +- description: |- + The Syslog numeric facility of the log event, if available. + According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + name: log.syslog.facility.code + type: long +- description: The Syslog text-based facility of the log event, if available. + name: log.syslog.facility.name + type: keyword +- description: |- + Syslog numeric priority of the event, if available. + According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + name: log.syslog.priority + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + name: log.syslog.severity.code + type: long +- description: |- + The Syslog numeric severity of the log event, if available. + If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + name: log.syslog.severity.name + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: |- + When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. + For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. + The field value must be normalized to lowercase for querying. + name: network.application + type: keyword +- description: |- + Total bytes transferred in both directions. + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + name: network.bytes + type: long +- description: |- + A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. + Learn more at https://github.com/corelight/community-id-spec. + name: network.community_id + type: keyword +- description: |- + Direction of the network traffic. + When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". + When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". + Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. + name: network.direction + type: keyword +- description: Host IP address when the source IP address is the proxy. + name: network.forwarded_ip + type: ip +- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Name given by operators to sections of their network. + name: network.name + type: keyword +- description: |- + Total packets transferred in both directions. + If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + name: network.packets + type: long +- description: |- + In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. + The field value must be normalized to lowercase for querying. + name: network.protocol + type: keyword +- description: |- + Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) + The field value must be normalized to lowercase for querying. + name: network.transport + type: keyword +- description: |- + In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc + The field value must be normalized to lowercase for querying. + name: network.type + type: keyword +- description: City name. + name: observer.geo.city_name + type: keyword +- description: Name of the continent. + name: observer.geo.continent_name + type: keyword +- description: Country ISO code. + name: observer.geo.country_iso_code + type: keyword +- description: Country name. + name: observer.geo.country_name + type: keyword +- description: Longitude and latitude. + name: observer.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: observer.geo.name + type: keyword +- description: Region ISO code. + name: observer.geo.region_iso_code + type: keyword +- description: Region name. + name: observer.geo.region_name + type: keyword +- description: Hostname of the observer. + name: observer.hostname + type: keyword +- description: IP addresses of the observer. + name: observer.ip + normalize: + - array + type: ip +- description: |- + MAC addresses of the observer. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: observer.mac + normalize: + - array + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Custom name of the observer. + This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. + If no custom name is needed, the field can be left empty. + name: observer.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: observer.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: observer.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: observer.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: observer.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: observer.os.platform + type: keyword +- description: Operating system version as a raw string. + name: observer.os.version + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: |- + The type of the observer the data is coming from. + There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: Observer version. + name: observer.version + type: keyword +- description: Unique identifier for the organization. + name: organization.id + type: keyword +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: organization.name + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: os.platform + type: keyword +- description: Operating system version as a raw string. + name: os.version + type: keyword +- description: Package architecture. + name: package.architecture + type: keyword +- description: Checksum of the installed package for verification. + name: package.checksum + type: keyword +- description: Description of the package. + name: package.description + type: keyword +- description: Indicating how the package was installed, e.g. user-local, global. + name: package.install_scope + type: keyword +- description: Time when package was installed. + name: package.installed + type: date +- description: |- + License under which the package was released. + Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + name: package.license + type: keyword +- description: Package name + name: package.name + type: keyword +- description: Path where the package is installed. + name: package.path + type: keyword +- description: Package size in bytes. + name: package.size + type: long +- description: Package version + name: package.version + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + normalize: + - array + type: keyword +- description: Absolute path to the process executable. + multi_fields: + - name: text + type: match_only_text + name: process.executable + type: keyword +- description: MD5 hash. + name: process.hash.md5 + type: keyword +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: SHA256 hash. + name: process.hash.sha256 + type: keyword +- description: SHA512 hash. + name: process.hash.sha512 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: |- + Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. + Identifier of the group of processes the process belongs to. + name: process.pgid + type: long +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: The time the process started. + name: process.start + type: date +- description: Thread ID. + name: process.thread.id + type: long +- description: Thread name. + name: process.thread.name + type: keyword +- description: |- + Process title. + The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + multi_fields: + - name: text + type: match_only_text + name: process.title + type: keyword +- description: Seconds the process has been up. + name: process.uptime + type: long +- description: The working directory of the process. + multi_fields: + - name: text + type: match_only_text + name: process.working_directory + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: |- + Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: server.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: server.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: server.as.organization.name + type: keyword +- description: Bytes sent from the server to the client. + name: server.bytes + type: long +- description: |- + The domain name of the server system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: server.domain + type: keyword +- description: City name. + name: server.geo.city_name + type: keyword +- description: Name of the continent. + name: server.geo.continent_name + type: keyword +- description: Country ISO code. + name: server.geo.country_iso_code + type: keyword +- description: Country name. + name: server.geo.country_name + type: keyword +- description: Longitude and latitude. + name: server.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: server.geo.name + type: keyword +- description: Region ISO code. + name: server.geo.region_iso_code + type: keyword +- description: Region name. + name: server.geo.region_name + type: keyword +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: |- + MAC address of the server. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: server.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.ip + type: ip +- description: |- + Translated port of destination based NAT sessions (e.g. internet to private DMZ) + Typically used with load balancers, firewalls, or routers. + name: server.nat.port + type: long +- description: Packets sent from the server to the client. + name: server.packets + type: long +- description: Port of the server. + name: server.port + type: long +- description: |- + The highest registered server domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: server.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: server.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.domain + type: keyword +- description: User email address. + name: server.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: server.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: server.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: server.user.group.id + type: keyword +- description: Name of the group. + name: server.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: server.user.hash + type: keyword +- description: Unique identifier of the user. + name: server.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: server.user.name + type: keyword +- description: |- + Ephemeral identifier of this service (if one exists). + This id normally changes across restarts, but `service.id` does not. + name: service.ephemeral_id + type: keyword +- description: |- + Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. + This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. + Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + name: service.id + type: keyword +- description: |- + Name of the service data is collected from. + The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. + In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. + name: service.name + type: keyword +- description: |- + Name of a service node. + This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. + In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. + name: service.node.name + type: keyword +- description: Current state of the service. + name: service.state + type: keyword +- description: |- + The type of the service data is collected from. + The type can be used to group and correlate logs and metrics from one service type. + Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. + name: service.type + type: keyword +- description: |- + Version of the service the data was collected from. + This allows to look at a data set only for a specific version of a service. + name: service.version + type: keyword +- description: |- + Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. + Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: |- + MAC address of the source. + The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. + name: source.mac + pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$ + type: keyword +- description: |- + Translated ip of source based NAT sessions (e.g. internal client to internet) + Typically connections traversing load balancers, firewalls, or routers. + name: source.nat.ip + type: ip +- description: |- + Translated port of source based NAT sessions. (e.g. internal client to internet) + Typically used with load balancers, firewalls, or routers. + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: |- + The highest registered source domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: source.registered_domain + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: source.top_level_domain + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.domain + type: keyword +- description: User email address. + name: source.user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: source.user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: source.user.group.id + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: source.user.hash + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. + name: threat.framework + type: keyword +- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.id + normalize: + - array + type: keyword +- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) + name: threat.tactic.name + normalize: + - array + type: keyword +- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + name: threat.tactic.reference + normalize: + - array + type: keyword +- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.id + normalize: + - array + type: keyword +- description: The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + multi_fields: + - name: text + type: match_only_text + name: threat.technique.name + normalize: + - array + type: keyword +- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + name: threat.technique.reference + normalize: + - array + type: keyword +- description: |- + Unique identifier of the trace. + A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + name: trace.id + type: keyword +- description: |- + Unique identifier of the transaction within the scope of its trace. + A transaction is the highest level of work measured within a service, such as a request to a server. + name: transaction.id + type: keyword +- description: |- + Domain of the url, such as "www.elastic.co". + In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + name: url.domain + type: keyword +- description: |- + The field contains the file extension from the original request url, excluding the leading dot. + The file extension is only set if it exists, as not every url has a file extension. + The leading period must not be included. For example, the value must be "png", not ".png". + Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). + name: url.extension + type: keyword +- description: |- + Portion of the url after the `#`, such as "top". + The `#` is not part of the fragment. + name: url.fragment + type: keyword +- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + multi_fields: + - name: text + type: match_only_text + name: url.full + type: wildcard +- description: |- + Unmodified original url as seen in the event source. + Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. + This field is meant to represent the URL as it was observed, complete or not. + multi_fields: + - name: text + type: match_only_text + name: url.original + type: wildcard +- description: Password of the request. + name: url.password + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: wildcard +- description: Port of the request, such as 443. + name: url.port + type: long +- description: |- + The query field describes the query string of the request, such as "q=elasticsearch". + The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + name: url.query + type: keyword +- description: |- + The highest registered url domain, stripped of the subdomain. + For example, the registered domain for "foo.example.com" is "example.com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + name: url.registered_domain + type: keyword +- description: |- + Scheme of the request, such as "https". + Note: The `:` is not part of the scheme. + name: url.scheme + type: keyword +- description: |- + The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". + This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + name: url.top_level_domain + type: keyword +- description: Username of the request. + name: url.username + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Name of the group. + name: user.group.name + type: keyword +- description: |- + Unique user hash to correlate information for a user in anonymized form. + Useful if `user.id` or `user.name` contain confidential information and cannot be used. + name: user.hash + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: OS family (such as redhat, debian, freebsd, windows). + name: user_agent.os.family + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system kernel version as a raw string. + name: user_agent.os.kernel + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system platform (such centos, ubuntu, windows). + name: user_agent.os.platform + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/netflow/2.2.5/data_stream/log/fields/package-fields.yml b/packages/netflow/2.2.5/data_stream/log/fields/package-fields.yml new file mode 100755 index 0000000000..1915b6a75d --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/fields/package-fields.yml @@ -0,0 +1,2689 @@ +- name: input.type + description: Type of Filebeat input. + type: keyword +- name: flow.locality + type: keyword + description: Identifies whether the flow involved public IP addresses or only private address. +- name: flow.id + type: keyword + description: Hash of source and destination IPs. +- name: destination.locality + type: keyword + description: Whether the destination IP is private or public. +- name: source.locality + type: keyword + description: Whether the source IP is private or public. +- name: netflow + type: group + description: > + Fields from NetFlow and IPFIX. + + fields: + - name: type + type: keyword + description: > + The type of NetFlow record described by this event. + + - name: exporter + type: group + description: > + Metadata related to the exporter device that generated this record. + + fields: + - name: address + type: keyword + description: > + Exporter's network address in IP:port format. + + - name: source_id + type: long + description: > + Observation domain ID to which this record belongs. + + - name: timestamp + type: date + description: > + Time and date of export. + + - name: uptime_millis + type: long + description: > + How long the exporter process has been running, in milliseconds. + + - name: version + type: integer + description: > + NetFlow version used. + + - name: absolute_error + type: double + - name: address_pool_high_threshold + type: long + - name: address_pool_low_threshold + type: long + - name: address_port_mapping_high_threshold + type: long + - name: address_port_mapping_low_threshold + type: long + - name: address_port_mapping_per_user_high_threshold + type: long + - name: afc_protocol + type: integer + - name: afc_protocol_name + type: keyword + - name: anonymization_flags + type: integer + - name: anonymization_technique + type: integer + - name: application_business-relevance + type: long + - name: application_category_name + type: keyword + - name: application_description + type: keyword + - name: application_group_name + type: keyword + - name: application_http_uri_statistics + type: short + - name: application_http_user-agent + type: short + - name: application_id + type: short + - name: application_name + type: keyword + - name: application_sub_category_name + type: keyword + - name: application_traffic-class + type: long + - name: art_client_network_time_maximum + type: long + - name: art_client_network_time_minimum + type: long + - name: art_client_network_time_sum + type: long + - name: art_clientpackets + type: long + - name: art_count_late_responses + type: long + - name: art_count_new_connections + type: long + - name: art_count_responses + type: long + - name: art_count_responses_histogram_bucket1 + type: long + - name: art_count_responses_histogram_bucket2 + type: long + - name: art_count_responses_histogram_bucket3 + type: long + - name: art_count_responses_histogram_bucket4 + type: long + - name: art_count_responses_histogram_bucket5 + type: long + - name: art_count_responses_histogram_bucket6 + type: long + - name: art_count_responses_histogram_bucket7 + type: long + - name: art_count_retransmissions + type: long + - name: art_count_transactions + type: long + - name: art_network_time_maximum + type: long + - name: art_network_time_minimum + type: long + - name: art_network_time_sum + type: long + - name: art_response_time_maximum + type: long + - name: art_response_time_minimum + type: long + - name: art_response_time_sum + type: long + - name: art_server_network_time_maximum + type: long + - name: art_server_network_time_minimum + type: long + - name: art_server_network_time_sum + type: long + - name: art_server_response_time_maximum + type: long + - name: art_server_response_time_minimum + type: long + - name: art_server_response_time_sum + type: long + - name: art_serverpackets + type: long + - name: art_total_response_time_maximum + type: long + - name: art_total_response_time_minimum + type: long + - name: art_total_response_time_sum + type: long + - name: art_total_transaction_time_maximum + type: long + - name: art_total_transaction_time_minimum + type: long + - name: art_total_transaction_time_sum + type: long + - name: assembled_fragment_count + type: long + - name: audit_counter + type: long + - name: average_interarrival_time + type: long + - name: bgp_destination_as_number + type: long + - name: bgp_next_adjacent_as_number + type: long + - name: bgp_next_hop_ipv4_address + type: ip + - name: bgp_next_hop_ipv6_address + type: ip + - name: bgp_prev_adjacent_as_number + type: long + - name: bgp_source_as_number + type: long + - name: bgp_validity_state + type: short + - name: biflow_direction + type: short + - name: bind_ipv4_address + type: ip + - name: bind_transport_port + type: integer + - name: class_id + type: long + - name: class_name + type: keyword + - name: classification_engine_id + type: short + - name: collection_time_milliseconds + type: date + - name: collector_certificate + type: short + - name: collector_ipv4_address + type: ip + - name: collector_ipv6_address + type: ip + - name: collector_transport_port + type: integer + - name: common_properties_id + type: long + - name: confidence_level + type: double + - name: conn_ipv4_address + type: ip + - name: conn_transport_port + type: integer + - name: connection_sum_duration_seconds + type: long + - name: connection_transaction_id + type: long + - name: conntrack_id + type: long + - name: data_byte_count + type: long + - name: data_link_frame_section + type: short + - name: data_link_frame_size + type: integer + - name: data_link_frame_type + type: integer + - name: data_records_reliability + type: boolean + - name: delta_flow_count + type: long + - name: destination_ipv4_address + type: ip + - name: destination_ipv4_prefix + type: ip + - name: destination_ipv4_prefix_length + type: short + - name: destination_ipv6_address + type: ip + - name: destination_ipv6_prefix + type: ip + - name: destination_ipv6_prefix_length + type: short + - name: destination_mac_address + type: keyword + - name: destination_transport_port + type: integer + - name: digest_hash_value + type: long + - name: distinct_count_of_destination_ip_address + type: long + - name: distinct_count_of_destination_ipv4_address + type: long + - name: distinct_count_of_destination_ipv6_address + type: long + - name: distinct_count_of_source_ip_address + type: long + - name: distinct_count_of_source_ipv4_address + type: long + - name: distinct_count_of_source_ipv6_address + type: long + - name: dns_authoritative + type: short + - name: dns_cname + type: keyword + - name: dns_id + type: integer + - name: dns_mx_exchange + type: keyword + - name: dns_mx_preference + type: integer + - name: dns_nsd_name + type: keyword + - name: dns_nx_domain + type: short + - name: dns_ptrd_name + type: keyword + - name: dns_qname + type: keyword + - name: dns_qr_type + type: integer + - name: dns_query_response + type: short + - name: dns_rr_section + type: short + - name: dns_soa_expire + type: long + - name: dns_soa_minimum + type: long + - name: dns_soa_refresh + type: long + - name: dns_soa_retry + type: long + - name: dns_soa_serial + type: long + - name: dns_soam_name + type: keyword + - name: dns_soar_name + type: keyword + - name: dns_srv_port + type: integer + - name: dns_srv_priority + type: integer + - name: dns_srv_target + type: integer + - name: dns_srv_weight + type: integer + - name: dns_ttl + type: long + - name: dns_txt_data + type: keyword + - name: dot1q_customer_dei + type: boolean + - name: dot1q_customer_destination_mac_address + type: keyword + - name: dot1q_customer_priority + type: short + - name: dot1q_customer_source_mac_address + type: keyword + - name: dot1q_customer_vlan_id + type: integer + - name: dot1q_dei + type: boolean + - name: dot1q_priority + type: short + - name: dot1q_service_instance_id + type: long + - name: dot1q_service_instance_priority + type: short + - name: dot1q_service_instance_tag + type: short + - name: dot1q_vlan_id + type: integer + - name: dropped_layer2_octet_delta_count + type: long + - name: dropped_layer2_octet_total_count + type: long + - name: dropped_octet_delta_count + type: long + - name: dropped_octet_total_count + type: long + - name: dropped_packet_delta_count + type: long + - name: dropped_packet_total_count + type: long + - name: dst_traffic_index + type: long + - name: egress_broadcast_packet_total_count + type: long + - name: egress_interface + type: long + - name: egress_interface_type + type: long + - name: egress_physical_interface + type: long + - name: egress_unicast_packet_total_count + type: long + - name: egress_vrfid + type: long + - name: encrypted_technology + type: keyword + - name: engine_id + type: short + - name: engine_type + type: short + - name: ethernet_header_length + type: short + - name: ethernet_payload_length + type: integer + - name: ethernet_total_length + type: integer + - name: ethernet_type + type: integer + - name: expired_fragment_count + type: long + - name: export_interface + type: long + - name: export_protocol_version + type: short + - name: export_sctp_stream_id + type: integer + - name: export_transport_protocol + type: short + - name: exported_flow_record_total_count + type: long + - name: exported_message_total_count + type: long + - name: exported_octet_total_count + type: long + - name: exporter_certificate + type: short + - name: exporter_ipv4_address + type: ip + - name: exporter_ipv6_address + type: ip + - name: exporter_transport_port + type: integer + - name: exporting_process_id + type: long + - name: external_address_realm + type: short + - name: firewall_event + type: short + - name: first_eight_non_empty_packet_directions + type: short + - name: first_non_empty_packet_size + type: integer + - name: first_packet_banner + type: keyword + - name: flags_and_sampler_id + type: long + - name: flow_active_timeout + type: integer + - name: flow_attributes + type: integer + - name: flow_direction + type: short + - name: flow_duration_microseconds + type: long + - name: flow_duration_milliseconds + type: long + - name: flow_end_delta_microseconds + type: long + - name: flow_end_microseconds + type: date + - name: flow_end_milliseconds + type: date + - name: flow_end_nanoseconds + type: date + - name: flow_end_reason + type: short + - name: flow_end_seconds + type: date + - name: flow_end_sys_up_time + type: long + - name: flow_id + type: long + - name: flow_idle_timeout + type: integer + - name: flow_key_indicator + type: long + - name: flow_label_ipv6 + type: long + - name: flow_sampling_time_interval + type: long + - name: flow_sampling_time_spacing + type: long + - name: flow_selected_flow_delta_count + type: long + - name: flow_selected_octet_delta_count + type: long + - name: flow_selected_packet_delta_count + type: long + - name: flow_selector_algorithm + type: integer + - name: flow_start_delta_microseconds + type: long + - name: flow_start_microseconds + type: date + - name: flow_start_milliseconds + type: date + - name: flow_start_nanoseconds + type: date + - name: flow_start_seconds + type: date + - name: flow_start_sys_up_time + type: long + - name: flow_table_flush_event_count + type: long + - name: flow_table_peak_count + type: long + - name: forwarding_status + type: short + - name: fragment_flags + type: short + - name: fragment_identification + type: long + - name: fragment_offset + type: integer + - name: fw_blackout_secs + type: long + - name: fw_configured_value + type: long + - name: fw_cts_src_sgt + type: long + - name: fw_event_level + type: long + - name: fw_event_level_id + type: long + - name: fw_ext_event + type: integer + - name: fw_ext_event_alt + type: long + - name: fw_ext_event_desc + type: keyword + - name: fw_half_open_count + type: long + - name: fw_half_open_high + type: long + - name: fw_half_open_rate + type: long + - name: fw_max_sessions + type: long + - name: fw_rule + type: keyword + - name: fw_summary_pkt_count + type: long + - name: fw_zone_pair_id + type: long + - name: fw_zone_pair_name + type: long + - name: global_address_mapping_high_threshold + type: long + - name: gre_key + type: long + - name: hash_digest_output + type: boolean + - name: hash_flow_domain + type: integer + - name: hash_initialiser_value + type: long + - name: hash_ip_payload_offset + type: long + - name: hash_ip_payload_size + type: long + - name: hash_output_range_max + type: long + - name: hash_output_range_min + type: long + - name: hash_selected_range_max + type: long + - name: hash_selected_range_min + type: long + - name: http_content_type + type: keyword + - name: http_message_version + type: keyword + - name: http_reason_phrase + type: keyword + - name: http_request_host + type: keyword + - name: http_request_method + type: keyword + - name: http_request_target + type: keyword + - name: http_status_code + type: integer + - name: http_user_agent + type: keyword + - name: icmp_code_ipv4 + type: short + - name: icmp_code_ipv6 + type: short + - name: icmp_type_code_ipv4 + type: integer + - name: icmp_type_code_ipv6 + type: integer + - name: icmp_type_ipv4 + type: short + - name: icmp_type_ipv6 + type: short + - name: igmp_type + type: short + - name: ignored_data_record_total_count + type: long + - name: ignored_layer2_frame_total_count + type: long + - name: ignored_layer2_octet_total_count + type: long + - name: ignored_octet_total_count + type: long + - name: ignored_packet_total_count + type: long + - name: information_element_data_type + type: short + - name: information_element_description + type: keyword + - name: information_element_id + type: integer + - name: information_element_index + type: integer + - name: information_element_name + type: keyword + - name: information_element_range_begin + type: long + - name: information_element_range_end + type: long + - name: information_element_semantics + type: short + - name: information_element_units + type: integer + - name: ingress_broadcast_packet_total_count + type: long + - name: ingress_interface + type: long + - name: ingress_interface_type + type: long + - name: ingress_multicast_packet_total_count + type: long + - name: ingress_physical_interface + type: long + - name: ingress_unicast_packet_total_count + type: long + - name: ingress_vrfid + type: long + - name: initial_tcp_flags + type: short + - name: initiator_octets + type: long + - name: initiator_packets + type: long + - name: interface_description + type: keyword + - name: interface_name + type: keyword + - name: intermediate_process_id + type: long + - name: internal_address_realm + type: short + - name: ip_class_of_service + type: short + - name: ip_diff_serv_code_point + type: short + - name: ip_header_length + type: short + - name: ip_header_packet_section + type: short + - name: ip_next_hop_ipv4_address + type: ip + - name: ip_next_hop_ipv6_address + type: ip + - name: ip_payload_length + type: long + - name: ip_payload_packet_section + type: short + - name: ip_precedence + type: short + - name: ip_sec_spi + type: long + - name: ip_total_length + type: long + - name: ip_ttl + type: short + - name: ip_version + type: short + - name: ipv4_ihl + type: short + - name: ipv4_options + type: long + - name: ipv4_router_sc + type: ip + - name: ipv6_extension_headers + type: long + - name: is_multicast + type: short + - name: ixia_browser_id + type: short + - name: ixia_browser_name + type: keyword + - name: ixia_device_id + type: short + - name: ixia_device_name + type: keyword + - name: ixia_dns_answer + type: keyword + - name: ixia_dns_classes + type: keyword + - name: ixia_dns_query + type: keyword + - name: ixia_dns_record_txt + type: keyword + - name: ixia_dst_as_name + type: keyword + - name: ixia_dst_city_name + type: keyword + - name: ixia_dst_country_code + type: keyword + - name: ixia_dst_country_name + type: keyword + - name: ixia_dst_latitude + type: float + - name: ixia_dst_longitude + type: float + - name: ixia_dst_region_code + type: keyword + - name: ixia_dst_region_node + type: keyword + - name: ixia_encrypt_cipher + type: keyword + - name: ixia_encrypt_key_length + type: integer + - name: ixia_encrypt_type + type: keyword + - name: ixia_http_host_name + type: keyword + - name: ixia_http_uri + type: keyword + - name: ixia_http_user_agent + type: keyword + - name: ixia_imsi_subscriber + type: keyword + - name: ixia_l7_app_id + type: long + - name: ixia_l7_app_name + type: keyword + - name: ixia_latency + type: long + - name: ixia_rev_octet_delta_count + type: long + - name: ixia_rev_packet_delta_count + type: long + - name: ixia_src_as_name + type: keyword + - name: ixia_src_city_name + type: keyword + - name: ixia_src_country_code + type: keyword + - name: ixia_src_country_name + type: keyword + - name: ixia_src_latitude + type: float + - name: ixia_src_longitude + type: float + - name: ixia_src_region_code + type: keyword + - name: ixia_src_region_name + type: keyword + - name: ixia_threat_ipv4 + type: ip + - name: ixia_threat_ipv6 + type: ip + - name: ixia_threat_type + type: keyword + - name: large_packet_count + type: long + - name: layer2_frame_delta_count + type: long + - name: layer2_frame_total_count + type: long + - name: layer2_octet_delta_count + type: long + - name: layer2_octet_delta_sum_of_squares + type: long + - name: layer2_octet_total_count + type: long + - name: layer2_octet_total_sum_of_squares + type: long + - name: layer2_segment_id + type: long + - name: layer2packet_section_data + type: short + - name: layer2packet_section_offset + type: integer + - name: layer2packet_section_size + type: integer + - name: line_card_id + type: long + - name: log_op + type: short + - name: lower_ci_limit + type: double + - name: mark + type: long + - name: max_bib_entries + type: long + - name: max_entries_per_user + type: long + - name: max_export_seconds + type: date + - name: max_flow_end_microseconds + type: date + - name: max_flow_end_milliseconds + type: date + - name: max_flow_end_nanoseconds + type: date + - name: max_flow_end_seconds + type: date + - name: max_fragments_pending_reassembly + type: long + - name: max_packet_size + type: integer + - name: max_session_entries + type: long + - name: max_subscribers + type: long + - name: maximum_ip_total_length + type: long + - name: maximum_layer2_total_length + type: long + - name: maximum_ttl + type: short + - name: mean_flow_rate + type: long + - name: mean_packet_rate + type: long + - name: message_md5_checksum + type: short + - name: message_scope + type: short + - name: metering_process_id + type: long + - name: metro_evc_id + type: keyword + - name: metro_evc_type + type: short + - name: mib_capture_time_semantics + type: short + - name: mib_context_engine_id + type: short + - name: mib_context_name + type: keyword + - name: mib_index_indicator + type: long + - name: mib_module_name + type: keyword + - name: mib_object_description + type: keyword + - name: mib_object_identifier + type: short + - name: mib_object_name + type: keyword + - name: mib_object_syntax + type: keyword + - name: mib_object_value_bits + type: short + - name: mib_object_value_counter + type: long + - name: mib_object_value_gauge + type: long + - name: mib_object_value_integer + type: integer + - name: mib_object_value_ip_address + type: ip + - name: mib_object_value_octet_string + type: short + - name: mib_object_value_oid + type: short + - name: mib_object_value_time_ticks + type: long + - name: mib_object_value_unsigned + type: long + - name: mib_sub_identifier + type: long + - name: min_export_seconds + type: date + - name: min_flow_start_microseconds + type: date + - name: min_flow_start_milliseconds + type: date + - name: min_flow_start_nanoseconds + type: date + - name: min_flow_start_seconds + type: date + - name: minimum_ip_total_length + type: long + - name: minimum_layer2_total_length + type: long + - name: minimum_ttl + type: short + - name: mobile_imsi + type: keyword + - name: mobile_msisdn + type: keyword + - name: monitoring_interval_end_milli_seconds + type: date + - name: monitoring_interval_start_milli_seconds + type: date + - name: mpls_label_stack_depth + type: long + - name: mpls_label_stack_length + type: long + - name: mpls_label_stack_section + type: short + - name: mpls_label_stack_section10 + type: short + - name: mpls_label_stack_section2 + type: short + - name: mpls_label_stack_section3 + type: short + - name: mpls_label_stack_section4 + type: short + - name: mpls_label_stack_section5 + type: short + - name: mpls_label_stack_section6 + type: short + - name: mpls_label_stack_section7 + type: short + - name: mpls_label_stack_section8 + type: short + - name: mpls_label_stack_section9 + type: short + - name: mpls_payload_length + type: long + - name: mpls_payload_packet_section + type: short + - name: mpls_top_label_exp + type: short + - name: mpls_top_label_ipv4_address + type: ip + - name: mpls_top_label_ipv6_address + type: ip + - name: mpls_top_label_prefix_length + type: short + - name: mpls_top_label_stack_section + type: short + - name: mpls_top_label_ttl + type: short + - name: mpls_top_label_type + type: short + - name: mpls_vpn_route_distinguisher + type: short + - name: mptcp_address_id + type: short + - name: mptcp_flags + type: short + - name: mptcp_initial_data_sequence_number + type: long + - name: mptcp_maximum_segment_size + type: integer + - name: mptcp_receiver_token + type: long + - name: multicast_replication_factor + type: long + - name: nat_event + type: short + - name: nat_inside_svcid + type: integer + - name: nat_instance_id + type: long + - name: nat_originating_address_realm + type: short + - name: nat_outside_svcid + type: integer + - name: nat_pool_id + type: long + - name: nat_pool_name + type: keyword + - name: nat_quota_exceeded_event + type: long + - name: nat_sub_string + type: keyword + - name: nat_threshold_event + type: long + - name: nat_type + type: short + - name: netscale_ica_client_version + type: keyword + - name: netscaler_aaa_username + type: keyword + - name: netscaler_app_name + type: keyword + - name: netscaler_app_name_app_id + type: long + - name: netscaler_app_name_incarnation_number + type: long + - name: netscaler_app_template_name + type: keyword + - name: netscaler_app_unit_name_app_id + type: long + - name: netscaler_application_startup_duration + type: long + - name: netscaler_application_startup_time + type: long + - name: netscaler_cache_redir_client_connection_core_id + type: long + - name: netscaler_cache_redir_client_connection_transaction_id + type: long + - name: netscaler_client_rtt + type: long + - name: netscaler_connection_chain_hop_count + type: long + - name: netscaler_connection_chain_id + type: short + - name: netscaler_connection_id + type: long + - name: netscaler_current_license_consumed + type: long + - name: netscaler_db_clt_host_name + type: keyword + - name: netscaler_db_database_name + type: keyword + - name: netscaler_db_login_flags + type: long + - name: netscaler_db_protocol_name + type: short + - name: netscaler_db_req_string + type: keyword + - name: netscaler_db_req_type + type: short + - name: netscaler_db_resp_length + type: long + - name: netscaler_db_resp_status + type: long + - name: netscaler_db_resp_status_string + type: keyword + - name: netscaler_db_user_name + type: keyword + - name: netscaler_flow_flags + type: long + - name: netscaler_http_client_interaction_end_time + type: keyword + - name: netscaler_http_client_interaction_start_time + type: keyword + - name: netscaler_http_client_render_end_time + type: keyword + - name: netscaler_http_client_render_start_time + type: keyword + - name: netscaler_http_content_type + type: keyword + - name: netscaler_http_domain_name + type: keyword + - name: netscaler_http_req_authorization + type: keyword + - name: netscaler_http_req_cookie + type: keyword + - name: netscaler_http_req_forw_fb + type: long + - name: netscaler_http_req_forw_lb + type: long + - name: netscaler_http_req_host + type: keyword + - name: netscaler_http_req_method + type: keyword + - name: netscaler_http_req_rcv_fb + type: long + - name: netscaler_http_req_rcv_lb + type: long + - name: netscaler_http_req_referer + type: keyword + - name: netscaler_http_req_url + type: keyword + - name: netscaler_http_req_user_agent + type: keyword + - name: netscaler_http_req_via + type: keyword + - name: netscaler_http_req_xforwarded_for + type: keyword + - name: netscaler_http_res_forw_fb + type: long + - name: netscaler_http_res_forw_lb + type: long + - name: netscaler_http_res_location + type: keyword + - name: netscaler_http_res_rcv_fb + type: long + - name: netscaler_http_res_rcv_lb + type: long + - name: netscaler_http_res_set_cookie + type: keyword + - name: netscaler_http_res_set_cookie2 + type: keyword + - name: netscaler_http_rsp_len + type: long + - name: netscaler_http_rsp_status + type: integer + - name: netscaler_ica_app_module_path + type: keyword + - name: netscaler_ica_app_process_id + type: long + - name: netscaler_ica_application_name + type: keyword + - name: netscaler_ica_application_termination_time + type: long + - name: netscaler_ica_application_termination_type + type: integer + - name: netscaler_ica_channel_id1 + type: long + - name: netscaler_ica_channel_id1_bytes + type: long + - name: netscaler_ica_channel_id2 + type: long + - name: netscaler_ica_channel_id2_bytes + type: long + - name: netscaler_ica_channel_id3 + type: long + - name: netscaler_ica_channel_id3_bytes + type: long + - name: netscaler_ica_channel_id4 + type: long + - name: netscaler_ica_channel_id4_bytes + type: long + - name: netscaler_ica_channel_id5 + type: long + - name: netscaler_ica_channel_id5_bytes + type: long + - name: netscaler_ica_client_host_name + type: keyword + - name: netscaler_ica_client_ip + type: ip + - name: netscaler_ica_client_launcher + type: integer + - name: netscaler_ica_client_side_rto_count + type: integer + - name: netscaler_ica_client_side_window_size + type: integer + - name: netscaler_ica_client_type + type: integer + - name: netscaler_ica_clientside_delay + type: long + - name: netscaler_ica_clientside_jitter + type: long + - name: netscaler_ica_clientside_packets_retransmit + type: integer + - name: netscaler_ica_clientside_rtt + type: long + - name: netscaler_ica_clientside_rx_bytes + type: long + - name: netscaler_ica_clientside_srtt + type: long + - name: netscaler_ica_clientside_tx_bytes + type: long + - name: netscaler_ica_connection_priority + type: integer + - name: netscaler_ica_device_serial_no + type: long + - name: netscaler_ica_domain_name + type: keyword + - name: netscaler_ica_flags + type: long + - name: netscaler_ica_host_delay + type: long + - name: netscaler_ica_l7_client_latency + type: long + - name: netscaler_ica_l7_server_latency + type: long + - name: netscaler_ica_launch_mechanism + type: integer + - name: netscaler_ica_network_update_end_time + type: long + - name: netscaler_ica_network_update_start_time + type: long + - name: netscaler_ica_rtt + type: long + - name: netscaler_ica_server_name + type: keyword + - name: netscaler_ica_server_side_rto_count + type: integer + - name: netscaler_ica_server_side_window_size + type: integer + - name: netscaler_ica_serverside_delay + type: long + - name: netscaler_ica_serverside_jitter + type: long + - name: netscaler_ica_serverside_packets_retransmit + type: integer + - name: netscaler_ica_serverside_rtt + type: long + - name: netscaler_ica_serverside_srtt + type: long + - name: netscaler_ica_session_end_time + type: long + - name: netscaler_ica_session_guid + type: short + - name: netscaler_ica_session_reconnects + type: short + - name: netscaler_ica_session_setup_time + type: long + - name: netscaler_ica_session_update_begin_sec + type: long + - name: netscaler_ica_session_update_end_sec + type: long + - name: netscaler_ica_username + type: keyword + - name: netscaler_license_type + type: short + - name: netscaler_main_page_core_id + type: long + - name: netscaler_main_page_id + type: long + - name: netscaler_max_license_count + type: long + - name: netscaler_msi_client_cookie + type: short + - name: netscaler_round_trip_time + type: long + - name: netscaler_server_ttfb + type: long + - name: netscaler_server_ttlb + type: long + - name: netscaler_syslog_message + type: keyword + - name: netscaler_syslog_priority + type: short + - name: netscaler_syslog_timestamp + type: long + - name: netscaler_transaction_id + type: long + - name: netscaler_unknown270 + type: long + - name: netscaler_unknown271 + type: long + - name: netscaler_unknown272 + type: long + - name: netscaler_unknown273 + type: long + - name: netscaler_unknown274 + type: long + - name: netscaler_unknown275 + type: long + - name: netscaler_unknown276 + type: long + - name: netscaler_unknown277 + type: long + - name: netscaler_unknown278 + type: long + - name: netscaler_unknown279 + type: long + - name: netscaler_unknown280 + type: long + - name: netscaler_unknown281 + type: long + - name: netscaler_unknown282 + type: long + - name: netscaler_unknown283 + type: long + - name: netscaler_unknown284 + type: long + - name: netscaler_unknown285 + type: long + - name: netscaler_unknown286 + type: long + - name: netscaler_unknown287 + type: long + - name: netscaler_unknown288 + type: long + - name: netscaler_unknown289 + type: long + - name: netscaler_unknown290 + type: long + - name: netscaler_unknown291 + type: long + - name: netscaler_unknown292 + type: long + - name: netscaler_unknown293 + type: long + - name: netscaler_unknown294 + type: long + - name: netscaler_unknown295 + type: long + - name: netscaler_unknown296 + type: long + - name: netscaler_unknown297 + type: long + - name: netscaler_unknown298 + type: long + - name: netscaler_unknown299 + type: long + - name: netscaler_unknown300 + type: long + - name: netscaler_unknown301 + type: long + - name: netscaler_unknown302 + type: long + - name: netscaler_unknown303 + type: long + - name: netscaler_unknown304 + type: long + - name: netscaler_unknown305 + type: long + - name: netscaler_unknown306 + type: long + - name: netscaler_unknown307 + type: long + - name: netscaler_unknown308 + type: long + - name: netscaler_unknown309 + type: long + - name: netscaler_unknown310 + type: long + - name: netscaler_unknown311 + type: long + - name: netscaler_unknown312 + type: long + - name: netscaler_unknown313 + type: long + - name: netscaler_unknown314 + type: long + - name: netscaler_unknown315 + type: long + - name: netscaler_unknown316 + type: keyword + - name: netscaler_unknown317 + type: long + - name: netscaler_unknown318 + type: long + - name: netscaler_unknown319 + type: keyword + - name: netscaler_unknown320 + type: integer + - name: netscaler_unknown321 + type: long + - name: netscaler_unknown322 + type: long + - name: netscaler_unknown323 + type: integer + - name: netscaler_unknown324 + type: integer + - name: netscaler_unknown325 + type: integer + - name: netscaler_unknown326 + type: integer + - name: netscaler_unknown327 + type: long + - name: netscaler_unknown328 + type: integer + - name: netscaler_unknown329 + type: integer + - name: netscaler_unknown330 + type: integer + - name: netscaler_unknown331 + type: integer + - name: netscaler_unknown332 + type: long + - name: netscaler_unknown333 + type: keyword + - name: netscaler_unknown334 + type: keyword + - name: netscaler_unknown335 + type: long + - name: netscaler_unknown336 + type: long + - name: netscaler_unknown337 + type: long + - name: netscaler_unknown338 + type: long + - name: netscaler_unknown339 + type: long + - name: netscaler_unknown340 + type: long + - name: netscaler_unknown341 + type: long + - name: netscaler_unknown342 + type: long + - name: netscaler_unknown343 + type: long + - name: netscaler_unknown344 + type: long + - name: netscaler_unknown345 + type: long + - name: netscaler_unknown346 + type: long + - name: netscaler_unknown347 + type: long + - name: netscaler_unknown348 + type: integer + - name: netscaler_unknown349 + type: keyword + - name: netscaler_unknown350 + type: keyword + - name: netscaler_unknown351 + type: keyword + - name: netscaler_unknown352 + type: integer + - name: netscaler_unknown353 + type: long + - name: netscaler_unknown354 + type: long + - name: netscaler_unknown355 + type: long + - name: netscaler_unknown356 + type: long + - name: netscaler_unknown357 + type: long + - name: netscaler_unknown363 + type: short + - name: netscaler_unknown383 + type: short + - name: netscaler_unknown391 + type: long + - name: netscaler_unknown398 + type: long + - name: netscaler_unknown404 + type: long + - name: netscaler_unknown405 + type: long + - name: netscaler_unknown427 + type: long + - name: netscaler_unknown429 + type: short + - name: netscaler_unknown432 + type: short + - name: netscaler_unknown433 + type: short + - name: netscaler_unknown453 + type: long + - name: netscaler_unknown465 + type: long + - name: new_connection_delta_count + type: long + - name: next_header_ipv6 + type: short + - name: non_empty_packet_count + type: long + - name: not_sent_flow_total_count + type: long + - name: not_sent_layer2_octet_total_count + type: long + - name: not_sent_octet_total_count + type: long + - name: not_sent_packet_total_count + type: long + - name: observation_domain_id + type: long + - name: observation_domain_name + type: keyword + - name: observation_point_id + type: long + - name: observation_point_type + type: short + - name: observation_time_microseconds + type: date + - name: observation_time_milliseconds + type: date + - name: observation_time_nanoseconds + type: date + - name: observation_time_seconds + type: date + - name: observed_flow_total_count + type: long + - name: octet_delta_count + type: long + - name: octet_delta_sum_of_squares + type: long + - name: octet_total_count + type: long + - name: octet_total_sum_of_squares + type: long + - name: opaque_octets + type: short + - name: original_exporter_ipv4_address + type: ip + - name: original_exporter_ipv6_address + type: ip + - name: original_flows_completed + type: long + - name: original_flows_initiated + type: long + - name: original_flows_present + type: long + - name: original_observation_domain_id + type: long + - name: os_finger_print + type: keyword + - name: os_name + type: keyword + - name: os_version + type: keyword + - name: p2p_technology + type: keyword + - name: packet_delta_count + type: long + - name: packet_total_count + type: long + - name: padding_octets + type: short + - name: payload + type: keyword + - name: payload_entropy + type: short + - name: payload_length_ipv6 + type: integer + - name: policy_qos_classification_hierarchy + type: long + - name: policy_qos_queue_index + type: long + - name: policy_qos_queuedrops + type: long + - name: policy_qos_queueindex + type: long + - name: port_id + type: long + - name: port_range_end + type: integer + - name: port_range_num_ports + type: integer + - name: port_range_start + type: integer + - name: port_range_step_size + type: integer + - name: post_destination_mac_address + type: keyword + - name: post_dot1q_customer_vlan_id + type: integer + - name: post_dot1q_vlan_id + type: integer + - name: post_ip_class_of_service + type: short + - name: post_ip_diff_serv_code_point + type: short + - name: post_ip_precedence + type: short + - name: post_layer2_octet_delta_count + type: long + - name: post_layer2_octet_total_count + type: long + - name: post_mcast_layer2_octet_delta_count + type: long + - name: post_mcast_layer2_octet_total_count + type: long + - name: post_mcast_octet_delta_count + type: long + - name: post_mcast_octet_total_count + type: long + - name: post_mcast_packet_delta_count + type: long + - name: post_mcast_packet_total_count + type: long + - name: post_mpls_top_label_exp + type: short + - name: post_napt_destination_transport_port + type: integer + - name: post_napt_source_transport_port + type: integer + - name: post_nat_destination_ipv4_address + type: ip + - name: post_nat_destination_ipv6_address + type: ip + - name: post_nat_source_ipv4_address + type: ip + - name: post_nat_source_ipv6_address + type: ip + - name: post_octet_delta_count + type: long + - name: post_octet_total_count + type: long + - name: post_packet_delta_count + type: long + - name: post_packet_total_count + type: long + - name: post_source_mac_address + type: keyword + - name: post_vlan_id + type: integer + - name: private_enterprise_number + type: long + - name: procera_apn + type: keyword + - name: procera_base_service + type: keyword + - name: procera_content_categories + type: keyword + - name: procera_device_id + type: long + - name: procera_external_rtt + type: integer + - name: procera_flow_behavior + type: keyword + - name: procera_ggsn + type: keyword + - name: procera_http_content_type + type: keyword + - name: procera_http_file_length + type: long + - name: procera_http_language + type: keyword + - name: procera_http_location + type: keyword + - name: procera_http_referer + type: keyword + - name: procera_http_request_method + type: keyword + - name: procera_http_request_version + type: keyword + - name: procera_http_response_status + type: integer + - name: procera_http_url + type: keyword + - name: procera_http_user_agent + type: keyword + - name: procera_imsi + type: long + - name: procera_incoming_octets + type: long + - name: procera_incoming_packets + type: long + - name: procera_incoming_shaping_drops + type: long + - name: procera_incoming_shaping_latency + type: integer + - name: procera_internal_rtt + type: integer + - name: procera_local_ipv4_host + type: ip + - name: procera_local_ipv6_host + type: ip + - name: procera_msisdn + type: long + - name: procera_outgoing_octets + type: long + - name: procera_outgoing_packets + type: long + - name: procera_outgoing_shaping_drops + type: long + - name: procera_outgoing_shaping_latency + type: integer + - name: procera_property + type: keyword + - name: procera_qoe_incoming_external + type: float + - name: procera_qoe_incoming_internal + type: float + - name: procera_qoe_outgoing_external + type: float + - name: procera_qoe_outgoing_internal + type: float + - name: procera_rat + type: keyword + - name: procera_remote_ipv4_host + type: ip + - name: procera_remote_ipv6_host + type: ip + - name: procera_rnc + type: integer + - name: procera_server_hostname + type: keyword + - name: procera_service + type: keyword + - name: procera_sgsn + type: keyword + - name: procera_subscriber_identifier + type: keyword + - name: procera_template_name + type: keyword + - name: procera_user_location_information + type: keyword + - name: protocol_identifier + type: short + - name: pseudo_wire_control_word + type: long + - name: pseudo_wire_destination_ipv4_address + type: ip + - name: pseudo_wire_id + type: long + - name: pseudo_wire_type + type: integer + - name: reason + type: long + - name: reason_text + type: keyword + - name: relative_error + type: double + - name: responder_octets + type: long + - name: responder_packets + type: long + - name: reverse_absolute_error + type: double + - name: reverse_anonymization_flags + type: integer + - name: reverse_anonymization_technique + type: integer + - name: reverse_application_category_name + type: keyword + - name: reverse_application_description + type: keyword + - name: reverse_application_group_name + type: keyword + - name: reverse_application_id + type: keyword + - name: reverse_application_name + type: keyword + - name: reverse_application_sub_category_name + type: keyword + - name: reverse_average_interarrival_time + type: long + - name: reverse_bgp_destination_as_number + type: long + - name: reverse_bgp_next_adjacent_as_number + type: long + - name: reverse_bgp_next_hop_ipv4_address + type: ip + - name: reverse_bgp_next_hop_ipv6_address + type: ip + - name: reverse_bgp_prev_adjacent_as_number + type: long + - name: reverse_bgp_source_as_number + type: long + - name: reverse_bgp_validity_state + type: short + - name: reverse_class_id + type: short + - name: reverse_class_name + type: keyword + - name: reverse_classification_engine_id + type: short + - name: reverse_collection_time_milliseconds + type: long + - name: reverse_collector_certificate + type: keyword + - name: reverse_confidence_level + type: double + - name: reverse_connection_sum_duration_seconds + type: long + - name: reverse_connection_transaction_id + type: long + - name: reverse_data_byte_count + type: long + - name: reverse_data_link_frame_section + type: keyword + - name: reverse_data_link_frame_size + type: integer + - name: reverse_data_link_frame_type + type: integer + - name: reverse_data_records_reliability + type: short + - name: reverse_delta_flow_count + type: long + - name: reverse_destination_ipv4_address + type: ip + - name: reverse_destination_ipv4_prefix + type: ip + - name: reverse_destination_ipv4_prefix_length + type: short + - name: reverse_destination_ipv6_address + type: ip + - name: reverse_destination_ipv6_prefix + type: ip + - name: reverse_destination_ipv6_prefix_length + type: short + - name: reverse_destination_mac_address + type: keyword + - name: reverse_destination_transport_port + type: integer + - name: reverse_digest_hash_value + type: long + - name: reverse_distinct_count_of_destination_ip_address + type: long + - name: reverse_distinct_count_of_destination_ipv4_address + type: long + - name: reverse_distinct_count_of_destination_ipv6_address + type: long + - name: reverse_distinct_count_of_source_ip_address + type: long + - name: reverse_distinct_count_of_source_ipv4_address + type: long + - name: reverse_distinct_count_of_source_ipv6_address + type: long + - name: reverse_dot1q_customer_dei + type: short + - name: reverse_dot1q_customer_destination_mac_address + type: keyword + - name: reverse_dot1q_customer_priority + type: short + - name: reverse_dot1q_customer_source_mac_address + type: keyword + - name: reverse_dot1q_customer_vlan_id + type: integer + - name: reverse_dot1q_dei + type: short + - name: reverse_dot1q_priority + type: short + - name: reverse_dot1q_service_instance_id + type: long + - name: reverse_dot1q_service_instance_priority + type: short + - name: reverse_dot1q_service_instance_tag + type: keyword + - name: reverse_dot1q_vlan_id + type: integer + - name: reverse_dropped_layer2_octet_delta_count + type: long + - name: reverse_dropped_layer2_octet_total_count + type: long + - name: reverse_dropped_octet_delta_count + type: long + - name: reverse_dropped_octet_total_count + type: long + - name: reverse_dropped_packet_delta_count + type: long + - name: reverse_dropped_packet_total_count + type: long + - name: reverse_dst_traffic_index + type: long + - name: reverse_egress_broadcast_packet_total_count + type: long + - name: reverse_egress_interface + type: long + - name: reverse_egress_interface_type + type: long + - name: reverse_egress_physical_interface + type: long + - name: reverse_egress_unicast_packet_total_count + type: long + - name: reverse_egress_vrfid + type: long + - name: reverse_encrypted_technology + type: keyword + - name: reverse_engine_id + type: short + - name: reverse_engine_type + type: short + - name: reverse_ethernet_header_length + type: short + - name: reverse_ethernet_payload_length + type: integer + - name: reverse_ethernet_total_length + type: integer + - name: reverse_ethernet_type + type: integer + - name: reverse_export_sctp_stream_id + type: integer + - name: reverse_exporter_certificate + type: keyword + - name: reverse_exporting_process_id + type: long + - name: reverse_firewall_event + type: short + - name: reverse_first_non_empty_packet_size + type: integer + - name: reverse_first_packet_banner + type: keyword + - name: reverse_flags_and_sampler_id + type: long + - name: reverse_flow_active_timeout + type: integer + - name: reverse_flow_attributes + type: integer + - name: reverse_flow_delta_milliseconds + type: long + - name: reverse_flow_direction + type: short + - name: reverse_flow_duration_microseconds + type: long + - name: reverse_flow_duration_milliseconds + type: long + - name: reverse_flow_end_delta_microseconds + type: long + - name: reverse_flow_end_microseconds + type: long + - name: reverse_flow_end_milliseconds + type: long + - name: reverse_flow_end_nanoseconds + type: long + - name: reverse_flow_end_reason + type: short + - name: reverse_flow_end_seconds + type: long + - name: reverse_flow_end_sys_up_time + type: long + - name: reverse_flow_idle_timeout + type: integer + - name: reverse_flow_label_ipv6 + type: long + - name: reverse_flow_sampling_time_interval + type: long + - name: reverse_flow_sampling_time_spacing + type: long + - name: reverse_flow_selected_flow_delta_count + type: long + - name: reverse_flow_selected_octet_delta_count + type: long + - name: reverse_flow_selected_packet_delta_count + type: long + - name: reverse_flow_selector_algorithm + type: integer + - name: reverse_flow_start_delta_microseconds + type: long + - name: reverse_flow_start_microseconds + type: long + - name: reverse_flow_start_milliseconds + type: long + - name: reverse_flow_start_nanoseconds + type: long + - name: reverse_flow_start_seconds + type: long + - name: reverse_flow_start_sys_up_time + type: long + - name: reverse_forwarding_status + type: long + - name: reverse_fragment_flags + type: short + - name: reverse_fragment_identification + type: long + - name: reverse_fragment_offset + type: integer + - name: reverse_gre_key + type: long + - name: reverse_hash_digest_output + type: short + - name: reverse_hash_flow_domain + type: integer + - name: reverse_hash_initialiser_value + type: long + - name: reverse_hash_ip_payload_offset + type: long + - name: reverse_hash_ip_payload_size + type: long + - name: reverse_hash_output_range_max + type: long + - name: reverse_hash_output_range_min + type: long + - name: reverse_hash_selected_range_max + type: long + - name: reverse_hash_selected_range_min + type: long + - name: reverse_icmp_code_ipv4 + type: short + - name: reverse_icmp_code_ipv6 + type: short + - name: reverse_icmp_type_code_ipv4 + type: integer + - name: reverse_icmp_type_code_ipv6 + type: integer + - name: reverse_icmp_type_ipv4 + type: short + - name: reverse_icmp_type_ipv6 + type: short + - name: reverse_igmp_type + type: short + - name: reverse_ignored_data_record_total_count + type: long + - name: reverse_ignored_layer2_frame_total_count + type: long + - name: reverse_ignored_layer2_octet_total_count + type: long + - name: reverse_information_element_data_type + type: short + - name: reverse_information_element_description + type: keyword + - name: reverse_information_element_id + type: integer + - name: reverse_information_element_index + type: integer + - name: reverse_information_element_name + type: keyword + - name: reverse_information_element_range_begin + type: long + - name: reverse_information_element_range_end + type: long + - name: reverse_information_element_semantics + type: short + - name: reverse_information_element_units + type: integer + - name: reverse_ingress_broadcast_packet_total_count + type: long + - name: reverse_ingress_interface + type: long + - name: reverse_ingress_interface_type + type: long + - name: reverse_ingress_multicast_packet_total_count + type: long + - name: reverse_ingress_physical_interface + type: long + - name: reverse_ingress_unicast_packet_total_count + type: long + - name: reverse_ingress_vrfid + type: long + - name: reverse_initial_tcp_flags + type: short + - name: reverse_initiator_octets + type: long + - name: reverse_initiator_packets + type: long + - name: reverse_interface_description + type: keyword + - name: reverse_interface_name + type: keyword + - name: reverse_intermediate_process_id + type: long + - name: reverse_ip_class_of_service + type: short + - name: reverse_ip_diff_serv_code_point + type: short + - name: reverse_ip_header_length + type: short + - name: reverse_ip_header_packet_section + type: keyword + - name: reverse_ip_next_hop_ipv4_address + type: ip + - name: reverse_ip_next_hop_ipv6_address + type: ip + - name: reverse_ip_payload_length + type: long + - name: reverse_ip_payload_packet_section + type: keyword + - name: reverse_ip_precedence + type: short + - name: reverse_ip_sec_spi + type: long + - name: reverse_ip_total_length + type: long + - name: reverse_ip_ttl + type: short + - name: reverse_ip_version + type: short + - name: reverse_ipv4_ihl + type: short + - name: reverse_ipv4_options + type: long + - name: reverse_ipv4_router_sc + type: ip + - name: reverse_ipv6_extension_headers + type: long + - name: reverse_is_multicast + type: short + - name: reverse_large_packet_count + type: long + - name: reverse_layer2_frame_delta_count + type: long + - name: reverse_layer2_frame_total_count + type: long + - name: reverse_layer2_octet_delta_count + type: long + - name: reverse_layer2_octet_delta_sum_of_squares + type: long + - name: reverse_layer2_octet_total_count + type: long + - name: reverse_layer2_octet_total_sum_of_squares + type: long + - name: reverse_layer2_segment_id + type: long + - name: reverse_layer2packet_section_data + type: keyword + - name: reverse_layer2packet_section_offset + type: integer + - name: reverse_layer2packet_section_size + type: integer + - name: reverse_line_card_id + type: long + - name: reverse_lower_ci_limit + type: double + - name: reverse_max_export_seconds + type: long + - name: reverse_max_flow_end_microseconds + type: long + - name: reverse_max_flow_end_milliseconds + type: long + - name: reverse_max_flow_end_nanoseconds + type: long + - name: reverse_max_flow_end_seconds + type: long + - name: reverse_max_packet_size + type: integer + - name: reverse_maximum_ip_total_length + type: long + - name: reverse_maximum_layer2_total_length + type: long + - name: reverse_maximum_ttl + type: short + - name: reverse_message_md5_checksum + type: keyword + - name: reverse_message_scope + type: short + - name: reverse_metering_process_id + type: long + - name: reverse_metro_evc_id + type: keyword + - name: reverse_metro_evc_type + type: short + - name: reverse_min_export_seconds + type: long + - name: reverse_min_flow_start_microseconds + type: long + - name: reverse_min_flow_start_milliseconds + type: long + - name: reverse_min_flow_start_nanoseconds + type: long + - name: reverse_min_flow_start_seconds + type: long + - name: reverse_minimum_ip_total_length + type: long + - name: reverse_minimum_layer2_total_length + type: long + - name: reverse_minimum_ttl + type: short + - name: reverse_monitoring_interval_end_milli_seconds + type: long + - name: reverse_monitoring_interval_start_milli_seconds + type: long + - name: reverse_mpls_label_stack_depth + type: long + - name: reverse_mpls_label_stack_length + type: long + - name: reverse_mpls_label_stack_section + type: keyword + - name: reverse_mpls_label_stack_section10 + type: keyword + - name: reverse_mpls_label_stack_section2 + type: keyword + - name: reverse_mpls_label_stack_section3 + type: keyword + - name: reverse_mpls_label_stack_section4 + type: keyword + - name: reverse_mpls_label_stack_section5 + type: keyword + - name: reverse_mpls_label_stack_section6 + type: keyword + - name: reverse_mpls_label_stack_section7 + type: keyword + - name: reverse_mpls_label_stack_section8 + type: keyword + - name: reverse_mpls_label_stack_section9 + type: keyword + - name: reverse_mpls_payload_length + type: long + - name: reverse_mpls_payload_packet_section + type: keyword + - name: reverse_mpls_top_label_exp + type: short + - name: reverse_mpls_top_label_ipv4_address + type: ip + - name: reverse_mpls_top_label_ipv6_address + type: ip + - name: reverse_mpls_top_label_prefix_length + type: short + - name: reverse_mpls_top_label_stack_section + type: keyword + - name: reverse_mpls_top_label_ttl + type: short + - name: reverse_mpls_top_label_type + type: short + - name: reverse_mpls_vpn_route_distinguisher + type: keyword + - name: reverse_multicast_replication_factor + type: long + - name: reverse_nat_event + type: short + - name: reverse_nat_originating_address_realm + type: short + - name: reverse_nat_pool_id + type: long + - name: reverse_nat_pool_name + type: keyword + - name: reverse_nat_type + type: short + - name: reverse_new_connection_delta_count + type: long + - name: reverse_next_header_ipv6 + type: short + - name: reverse_non_empty_packet_count + type: long + - name: reverse_not_sent_layer2_octet_total_count + type: long + - name: reverse_observation_domain_name + type: keyword + - name: reverse_observation_point_id + type: long + - name: reverse_observation_point_type + type: short + - name: reverse_observation_time_microseconds + type: long + - name: reverse_observation_time_milliseconds + type: long + - name: reverse_observation_time_nanoseconds + type: long + - name: reverse_observation_time_seconds + type: long + - name: reverse_octet_delta_count + type: long + - name: reverse_octet_delta_sum_of_squares + type: long + - name: reverse_octet_total_count + type: long + - name: reverse_octet_total_sum_of_squares + type: long + - name: reverse_opaque_octets + type: keyword + - name: reverse_original_exporter_ipv4_address + type: ip + - name: reverse_original_exporter_ipv6_address + type: ip + - name: reverse_original_flows_completed + type: long + - name: reverse_original_flows_initiated + type: long + - name: reverse_original_flows_present + type: long + - name: reverse_original_observation_domain_id + type: long + - name: reverse_os_finger_print + type: keyword + - name: reverse_os_name + type: keyword + - name: reverse_os_version + type: keyword + - name: reverse_p2p_technology + type: keyword + - name: reverse_packet_delta_count + type: long + - name: reverse_packet_total_count + type: long + - name: reverse_payload + type: keyword + - name: reverse_payload_entropy + type: short + - name: reverse_payload_length_ipv6 + type: integer + - name: reverse_port_id + type: long + - name: reverse_port_range_end + type: integer + - name: reverse_port_range_num_ports + type: integer + - name: reverse_port_range_start + type: integer + - name: reverse_port_range_step_size + type: integer + - name: reverse_post_destination_mac_address + type: keyword + - name: reverse_post_dot1q_customer_vlan_id + type: integer + - name: reverse_post_dot1q_vlan_id + type: integer + - name: reverse_post_ip_class_of_service + type: short + - name: reverse_post_ip_diff_serv_code_point + type: short + - name: reverse_post_ip_precedence + type: short + - name: reverse_post_layer2_octet_delta_count + type: long + - name: reverse_post_layer2_octet_total_count + type: long + - name: reverse_post_mcast_layer2_octet_delta_count + type: long + - name: reverse_post_mcast_layer2_octet_total_count + type: long + - name: reverse_post_mcast_octet_delta_count + type: long + - name: reverse_post_mcast_octet_total_count + type: long + - name: reverse_post_mcast_packet_delta_count + type: long + - name: reverse_post_mcast_packet_total_count + type: long + - name: reverse_post_mpls_top_label_exp + type: short + - name: reverse_post_napt_destination_transport_port + type: integer + - name: reverse_post_napt_source_transport_port + type: integer + - name: reverse_post_nat_destination_ipv4_address + type: ip + - name: reverse_post_nat_destination_ipv6_address + type: ip + - name: reverse_post_nat_source_ipv4_address + type: ip + - name: reverse_post_nat_source_ipv6_address + type: ip + - name: reverse_post_octet_delta_count + type: long + - name: reverse_post_octet_total_count + type: long + - name: reverse_post_packet_delta_count + type: long + - name: reverse_post_packet_total_count + type: long + - name: reverse_post_source_mac_address + type: keyword + - name: reverse_post_vlan_id + type: integer + - name: reverse_private_enterprise_number + type: long + - name: reverse_protocol_identifier + type: short + - name: reverse_pseudo_wire_control_word + type: long + - name: reverse_pseudo_wire_destination_ipv4_address + type: ip + - name: reverse_pseudo_wire_id + type: long + - name: reverse_pseudo_wire_type + type: integer + - name: reverse_relative_error + type: double + - name: reverse_responder_octets + type: long + - name: reverse_responder_packets + type: long + - name: reverse_rfc3550_jitter_microseconds + type: long + - name: reverse_rfc3550_jitter_milliseconds + type: long + - name: reverse_rfc3550_jitter_nanoseconds + type: long + - name: reverse_rtp_payload_type + type: short + - name: reverse_rtp_sequence_number + type: integer + - name: reverse_sampler_id + type: short + - name: reverse_sampler_mode + type: short + - name: reverse_sampler_name + type: keyword + - name: reverse_sampler_random_interval + type: long + - name: reverse_sampling_algorithm + type: short + - name: reverse_sampling_flow_interval + type: long + - name: reverse_sampling_flow_spacing + type: long + - name: reverse_sampling_interval + type: long + - name: reverse_sampling_packet_interval + type: long + - name: reverse_sampling_packet_space + type: long + - name: reverse_sampling_population + type: long + - name: reverse_sampling_probability + type: double + - name: reverse_sampling_size + type: long + - name: reverse_sampling_time_interval + type: long + - name: reverse_sampling_time_space + type: long + - name: reverse_second_packet_banner + type: keyword + - name: reverse_section_exported_octets + type: integer + - name: reverse_section_offset + type: integer + - name: reverse_selection_sequence_id + type: long + - name: reverse_selector_algorithm + type: integer + - name: reverse_selector_id + type: long + - name: reverse_selector_id_total_flows_observed + type: long + - name: reverse_selector_id_total_flows_selected + type: long + - name: reverse_selector_id_total_pkts_observed + type: long + - name: reverse_selector_id_total_pkts_selected + type: long + - name: reverse_selector_name + type: keyword + - name: reverse_session_scope + type: short + - name: reverse_small_packet_count + type: long + - name: reverse_source_ipv4_address + type: ip + - name: reverse_source_ipv4_prefix + type: ip + - name: reverse_source_ipv4_prefix_length + type: short + - name: reverse_source_ipv6_address + type: ip + - name: reverse_source_ipv6_prefix + type: ip + - name: reverse_source_ipv6_prefix_length + type: short + - name: reverse_source_mac_address + type: keyword + - name: reverse_source_transport_port + type: integer + - name: reverse_src_traffic_index + type: long + - name: reverse_sta_ipv4_address + type: ip + - name: reverse_sta_mac_address + type: keyword + - name: reverse_standard_deviation_interarrival_time + type: long + - name: reverse_standard_deviation_payload_length + type: integer + - name: reverse_system_init_time_milliseconds + type: long + - name: reverse_tcp_ack_total_count + type: long + - name: reverse_tcp_acknowledgement_number + type: long + - name: reverse_tcp_control_bits + type: integer + - name: reverse_tcp_destination_port + type: integer + - name: reverse_tcp_fin_total_count + type: long + - name: reverse_tcp_header_length + type: short + - name: reverse_tcp_options + type: long + - name: reverse_tcp_psh_total_count + type: long + - name: reverse_tcp_rst_total_count + type: long + - name: reverse_tcp_sequence_number + type: long + - name: reverse_tcp_source_port + type: integer + - name: reverse_tcp_syn_total_count + type: long + - name: reverse_tcp_urg_total_count + type: long + - name: reverse_tcp_urgent_pointer + type: integer + - name: reverse_tcp_window_scale + type: integer + - name: reverse_tcp_window_size + type: integer + - name: reverse_total_length_ipv4 + type: integer + - name: reverse_transport_octet_delta_count + type: long + - name: reverse_transport_packet_delta_count + type: long + - name: reverse_tunnel_technology + type: keyword + - name: reverse_udp_destination_port + type: integer + - name: reverse_udp_message_length + type: integer + - name: reverse_udp_source_port + type: integer + - name: reverse_union_tcp_flags + type: short + - name: reverse_upper_ci_limit + type: double + - name: reverse_user_name + type: keyword + - name: reverse_value_distribution_method + type: short + - name: reverse_virtual_station_interface_id + type: keyword + - name: reverse_virtual_station_interface_name + type: keyword + - name: reverse_virtual_station_name + type: keyword + - name: reverse_virtual_station_uuid + type: keyword + - name: reverse_vlan_id + type: integer + - name: reverse_vr_fname + type: keyword + - name: reverse_wlan_channel_id + type: short + - name: reverse_wlan_ssid + type: keyword + - name: reverse_wtp_mac_address + type: keyword + - name: rfc3550_jitter_microseconds + type: long + - name: rfc3550_jitter_milliseconds + type: long + - name: rfc3550_jitter_nanoseconds + type: long + - name: rtp_payload_type + type: short + - name: rtp_sequence_number + type: integer + - name: sampler_id + type: short + - name: sampler_mode + type: short + - name: sampler_name + type: keyword + - name: sampler_random_interval + type: long + - name: sampling_algorithm + type: short + - name: sampling_flow_interval + type: long + - name: sampling_flow_spacing + type: long + - name: sampling_interval + type: long + - name: sampling_packet_interval + type: long + - name: sampling_packet_space + type: long + - name: sampling_population + type: long + - name: sampling_probability + type: double + - name: sampling_size + type: long + - name: sampling_time_interval + type: long + - name: sampling_time_space + type: long + - name: second_packet_banner + type: keyword + - name: section_exported_octets + type: integer + - name: section_offset + type: integer + - name: selection_sequence_id + type: long + - name: selector_algorithm + type: integer + - name: selector_id + type: long + - name: selector_id_total_flows_observed + type: long + - name: selector_id_total_flows_selected + type: long + - name: selector_id_total_pkts_observed + type: long + - name: selector_id_total_pkts_selected + type: long + - name: selector_name + type: keyword + - name: service_name + type: keyword + - name: session_scope + type: short + - name: silk_app_label + type: integer + - name: small_packet_count + type: long + - name: source_ipv4_address + type: ip + - name: source_ipv4_prefix + type: ip + - name: source_ipv4_prefix_length + type: short + - name: source_ipv6_address + type: ip + - name: source_ipv6_prefix + type: ip + - name: source_ipv6_prefix_length + type: short + - name: source_mac_address + type: keyword + - name: source_transport_port + type: integer + - name: source_transport_ports_limit + type: integer + - name: src_traffic_index + type: long + - name: ssl_cert_serial_number + type: keyword + - name: ssl_cert_signature + type: keyword + - name: ssl_cert_validity_not_after + type: keyword + - name: ssl_cert_validity_not_before + type: keyword + - name: ssl_cert_version + type: short + - name: ssl_certificate_hash + type: keyword + - name: ssl_cipher + type: keyword + - name: ssl_client_version + type: short + - name: ssl_compression_method + type: short + - name: ssl_object_type + type: keyword + - name: ssl_object_value + type: keyword + - name: ssl_public_key_algorithm + type: keyword + - name: ssl_public_key_length + type: keyword + - name: ssl_server_cipher + type: long + - name: ssl_server_name + type: keyword + - name: sta_ipv4_address + type: ip + - name: sta_mac_address + type: keyword + - name: standard_deviation_interarrival_time + type: long + - name: standard_deviation_payload_length + type: short + - name: system_init_time_milliseconds + type: date + - name: tcp_ack_total_count + type: long + - name: tcp_acknowledgement_number + type: long + - name: tcp_control_bits + type: integer + - name: tcp_destination_port + type: integer + - name: tcp_fin_total_count + type: long + - name: tcp_header_length + type: short + - name: tcp_options + type: long + - name: tcp_psh_total_count + type: long + - name: tcp_rst_total_count + type: long + - name: tcp_sequence_number + type: long + - name: tcp_source_port + type: integer + - name: tcp_syn_total_count + type: long + - name: tcp_urg_total_count + type: long + - name: tcp_urgent_pointer + type: integer + - name: tcp_window_scale + type: integer + - name: tcp_window_size + type: integer + - name: template_id + type: integer + - name: tftp_filename + type: keyword + - name: tftp_mode + type: keyword + - name: timestamp + type: long + - name: timestamp_absolute_monitoring-interval + type: long + - name: total_length_ipv4 + type: integer + - name: traffic_type + type: short + - name: transport_octet_delta_count + type: long + - name: transport_packet_delta_count + type: long + - name: tunnel_technology + type: keyword + - name: udp_destination_port + type: integer + - name: udp_message_length + type: integer + - name: udp_source_port + type: integer + - name: union_tcp_flags + type: short + - name: upper_ci_limit + type: double + - name: user_name + type: keyword + - name: username + type: keyword + - name: value_distribution_method + type: short + - name: viptela_vpn_id + type: long + - name: virtual_station_interface_id + type: short + - name: virtual_station_interface_name + type: keyword + - name: virtual_station_name + type: keyword + - name: virtual_station_uuid + type: short + - name: vlan_id + type: integer + - name: vmware_egress_interface_attr + type: integer + - name: vmware_ingress_interface_attr + type: integer + - name: vmware_tenant_dest_ipv4 + type: ip + - name: vmware_tenant_dest_ipv6 + type: ip + - name: vmware_tenant_dest_port + type: integer + - name: vmware_tenant_protocol + type: short + - name: vmware_tenant_source_ipv4 + type: ip + - name: vmware_tenant_source_ipv6 + type: ip + - name: vmware_tenant_source_port + type: integer + - name: vmware_vxlan_export_role + type: short + - name: vpn_identifier + type: short + - name: vr_fname + type: keyword + - name: waasoptimization_segment + type: short + - name: wlan_channel_id + type: short + - name: wlan_ssid + type: keyword + - name: wtp_mac_address + type: keyword + - name: xlate_destination_address_ip_v4 + type: ip + - name: xlate_destination_port + type: integer + - name: xlate_source_address_ip_v4 + type: ip + - name: xlate_source_port + type: integer diff --git a/packages/netflow/2.2.5/data_stream/log/manifest.yml b/packages/netflow/2.2.5/data_stream/log/manifest.yml new file mode 100755 index 0000000000..bf706ae5c5 --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/manifest.yml @@ -0,0 +1,80 @@ +title: NetFlow logs +type: logs +streams: + - input: netflow + template_path: netflow.yml.hbs + title: Collect NetFlow logs + description: Collect NetFlow logs using the netflow input + vars: + - name: host + type: text + title: UDP host to listen on + multi: false + required: true + show_user: true + default: localhost + - name: port + type: integer + title: UDP port to listen on + multi: false + required: true + show_user: true + default: 2055 + - name: expiration_timeout + type: text + title: Time duration before an idle session or unused template is expired + multi: false + required: true + show_user: false + default: 30m + - name: queue_size + type: integer + title: Maximum number of packets that can be queued for processing + multi: false + required: true + show_user: false + default: 8192 + - name: custom_definitions + type: text + title: Custom definitions + multi: true + required: false + show_user: false + default: "" + - name: detect_sequence_reset + type: bool + title: Whether to detect sequence reset + multi: false + required: true + show_user: false + default: true + - name: max_message_size + type: text + title: Maximum size of the message received over UDP + multi: false + required: true + show_user: false + default: 10KiB + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - netflow + - forwarded + - name: timeout + type: text + title: Read timeout for socket operations + multi: false + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netflow/2.2.5/data_stream/log/sample_event.json b/packages/netflow/2.2.5/data_stream/log/sample_event.json new file mode 100755 index 0000000000..3e6f655051 --- /dev/null +++ b/packages/netflow/2.2.5/data_stream/log/sample_event.json @@ -0,0 +1,121 @@ +{ + "@timestamp": "2018-07-03T10:47:00.000Z", + "agent": { + "ephemeral_id": "499040e3-2739-4333-bc0a-714aceaaa76b", + "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.0" + }, + "client": { + "bytes": 719, + "packets": 5 + }, + "data_stream": { + "dataset": "netflow.log", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "bytes": 0, + "packets": 0 + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "f98d63fc-e620-4d4d-b16e-814a105b1bc9", + "snapshot": false, + "version": "8.2.0" + }, + "event": { + "action": "netflow_flow", + "agent_id_status": "verified", + "category": [ + "network", + "session" + ], + "created": "2022-05-12T09:08:00.955Z", + "dataset": "netflow.log", + "ingested": "2022-05-12T09:08:01Z", + "kind": "event", + "type": [ + "connection" + ] + }, + "flow": { + "id": "Vhs9T5k296w", + "locality": "internal" + }, + "input": { + "type": "netflow" + }, + "netflow": { + "application_id": [ + 3, + 0, + 0, + 80 + ], + "art_client_network_time_sum": 0, + "art_count_late_responses": 0, + "art_count_responses": 0, + "art_count_retransmissions": 0, + "art_count_transactions": 0, + "art_network_time_sum": 0, + "art_response_time_sum": 0, + "art_server_network_time_sum": 0, + "art_server_response_time_maximum": 0, + "art_server_response_time_sum": 0, + "art_total_response_time_sum": 0, + "art_total_transaction_time_sum": 0, + "biflow_direction": 1, + "connection_sum_duration_seconds": 0, + "egress_interface": 13, + "exporter": { + "address": "192.168.208.4:56750", + "source_id": 512, + "timestamp": "2018-07-03T10:47:00.000Z", + "uptime_millis": 0, + "version": 10 + }, + "flow_end_sys_up_time": 564184158, + "flow_start_sys_up_time": 564184140, + "ingress_interface": 10, + "ingress_vrfid": 0, + "initiator_octets": 719, + "initiator_packets": 5, + "ip_diff_serv_code_point": 0, + "ip_ttl": 49, + "new_connection_delta_count": 1, + "protocol_identifier": 6, + "responder_octets": 0, + "responder_packets": 0, + "type": "netflow_flow", + "vlan_id": 0, + "waasoptimization_segment": 16 + }, + "network": { + "bytes": 719, + "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=", + "direction": "unknown", + "iana_number": "6", + "packets": 5, + "transport": "tcp" + }, + "observer": { + "ip": "192.168.208.4" + }, + "server": { + "bytes": 0, + "packets": 0 + }, + "source": { + "bytes": 719, + "packets": 5 + }, + "tags": [ + "netflow", + "forwarded" + ] +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/docs/README.md b/packages/netflow/2.2.5/docs/README.md new file mode 100755 index 0000000000..84d7b6f6e7 --- /dev/null +++ b/packages/netflow/2.2.5/docs/README.md @@ -0,0 +1,1787 @@ +# Netflow Integration + +This integration is for receiving NetFlow and IPFIX flow records over UDP. +It supports NetFlow versions 1, 5, 6, 7, 8 and 9, as well as IPFIX. For NetFlow versions older than 9, fields are mapped automatically to NetFlow v9. + +For more information on Netflow and IPFIX, see: + +- [Cisco Systems NetFlow Services Export Version 9](https://www.ietf.org/rfc/rfc3954.txt) +- [Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information](https://www.ietf.org/rfc/rfc7011.txt) + +It includes the following dataset: + +- `log` dataset + +## Compatibility + +## Logs + +### log + +The `log` dataset collects netflow logs. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | +| agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. | keyword | +| agent.type | Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. | keyword | +| agent.version | Version of the agent. | keyword | +| as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| as.organization.name | Organization name. | keyword | +| as.organization.name.text | Multi-field of `as.organization.name`. | match_only_text | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.bytes | Bytes sent from the client to the server. | long | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | +| client.nat.port | Translated port of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | long | +| client.packets | Packets sent from the client to the server. | long | +| client.port | Port of the client. | long | +| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| client.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.email | User email address. | keyword | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| client.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| client.user.group.name | Name of the group. | keyword | +| client.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| client.user.id | Unique identifier of the user. | keyword | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.locality | Whether the destination IP is private or public. | keyword | +| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.email | User email address. | keyword | +| destination.user.full_name | User's full name, if available. | keyword | +| destination.user.full_name.text | Multi-field of `destination.user.full_name`. | match_only_text | +| destination.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| destination.user.group.name | Name of the group. | keyword | +| destination.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| destination.user.id | Unique identifier of the user. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. | keyword | +| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | +| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | +| dns.response_code | The DNS response code. | keyword | +| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | +| error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.hash | Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | +| file.created | File creation time. Note that not all filesystems store the creation time. | date | +| file.ctime | Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. | date | +| file.device | Device that is the source of the file. | keyword | +| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.group | Primary group name of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.mtime | Last time the file content was modified. | date | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.owner | File owner's username. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.target_path | Target path for symlinks. | keyword | +| file.target_path.text | Multi-field of `file.target_path`. | match_only_text | +| file.type | File type (file, dir, or symlink). | keyword | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| flow.id | Hash of source and destination IPs. | keyword | +| flow.locality | Identifies whether the flow involved public IP addresses or only private address. | keyword | +| geo.city_name | City name. | keyword | +| geo.continent_name | Name of the continent. | keyword | +| geo.country_iso_code | Country ISO code. | keyword | +| geo.country_name | Country name. | keyword | +| geo.location | Longitude and latitude. | geo_point | +| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| geo.region_iso_code | Region ISO code. | keyword | +| geo.region_name | Region name. | keyword | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| hash.md5 | MD5 hash. | keyword | +| hash.sha1 | SHA1 hash. | keyword | +| hash.sha256 | SHA256 hash. | keyword | +| hash.sha512 | SHA512 hash. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| http.request.body.bytes | Size in bytes of the request body. | long | +| http.request.body.content | The full HTTP request body. | wildcard | +| http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | Type of Filebeat input. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| log.origin.file.line | The line number of the file containing the source code which originated the log event. | long | +| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | +| log.origin.function | The name of the function or method which originated the log event. | keyword | +| log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| netflow.absolute_error | | double | +| netflow.address_pool_high_threshold | | long | +| netflow.address_pool_low_threshold | | long | +| netflow.address_port_mapping_high_threshold | | long | +| netflow.address_port_mapping_low_threshold | | long | +| netflow.address_port_mapping_per_user_high_threshold | | long | +| netflow.afc_protocol | | integer | +| netflow.afc_protocol_name | | keyword | +| netflow.anonymization_flags | | integer | +| netflow.anonymization_technique | | integer | +| netflow.application_business-relevance | | long | +| netflow.application_category_name | | keyword | +| netflow.application_description | | keyword | +| netflow.application_group_name | | keyword | +| netflow.application_http_uri_statistics | | short | +| netflow.application_http_user-agent | | short | +| netflow.application_id | | short | +| netflow.application_name | | keyword | +| netflow.application_sub_category_name | | keyword | +| netflow.application_traffic-class | | long | +| netflow.art_client_network_time_maximum | | long | +| netflow.art_client_network_time_minimum | | long | +| netflow.art_client_network_time_sum | | long | +| netflow.art_clientpackets | | long | +| netflow.art_count_late_responses | | long | +| netflow.art_count_new_connections | | long | +| netflow.art_count_responses | | long | +| netflow.art_count_responses_histogram_bucket1 | | long | +| netflow.art_count_responses_histogram_bucket2 | | long | +| netflow.art_count_responses_histogram_bucket3 | | long | +| netflow.art_count_responses_histogram_bucket4 | | long | +| netflow.art_count_responses_histogram_bucket5 | | long | +| netflow.art_count_responses_histogram_bucket6 | | long | +| netflow.art_count_responses_histogram_bucket7 | | long | +| netflow.art_count_retransmissions | | long | +| netflow.art_count_transactions | | long | +| netflow.art_network_time_maximum | | long | +| netflow.art_network_time_minimum | | long | +| netflow.art_network_time_sum | | long | +| netflow.art_response_time_maximum | | long | +| netflow.art_response_time_minimum | | long | +| netflow.art_response_time_sum | | long | +| netflow.art_server_network_time_maximum | | long | +| netflow.art_server_network_time_minimum | | long | +| netflow.art_server_network_time_sum | | long | +| netflow.art_server_response_time_maximum | | long | +| netflow.art_server_response_time_minimum | | long | +| netflow.art_server_response_time_sum | | long | +| netflow.art_serverpackets | | long | +| netflow.art_total_response_time_maximum | | long | +| netflow.art_total_response_time_minimum | | long | +| netflow.art_total_response_time_sum | | long | +| netflow.art_total_transaction_time_maximum | | long | +| netflow.art_total_transaction_time_minimum | | long | +| netflow.art_total_transaction_time_sum | | long | +| netflow.assembled_fragment_count | | long | +| netflow.audit_counter | | long | +| netflow.average_interarrival_time | | long | +| netflow.bgp_destination_as_number | | long | +| netflow.bgp_next_adjacent_as_number | | long | +| netflow.bgp_next_hop_ipv4_address | | ip | +| netflow.bgp_next_hop_ipv6_address | | ip | +| netflow.bgp_prev_adjacent_as_number | | long | +| netflow.bgp_source_as_number | | long | +| netflow.bgp_validity_state | | short | +| netflow.biflow_direction | | short | +| netflow.bind_ipv4_address | | ip | +| netflow.bind_transport_port | | integer | +| netflow.class_id | | long | +| netflow.class_name | | keyword | +| netflow.classification_engine_id | | short | +| netflow.collection_time_milliseconds | | date | +| netflow.collector_certificate | | short | +| netflow.collector_ipv4_address | | ip | +| netflow.collector_ipv6_address | | ip | +| netflow.collector_transport_port | | integer | +| netflow.common_properties_id | | long | +| netflow.confidence_level | | double | +| netflow.conn_ipv4_address | | ip | +| netflow.conn_transport_port | | integer | +| netflow.connection_sum_duration_seconds | | long | +| netflow.connection_transaction_id | | long | +| netflow.conntrack_id | | long | +| netflow.data_byte_count | | long | +| netflow.data_link_frame_section | | short | +| netflow.data_link_frame_size | | integer | +| netflow.data_link_frame_type | | integer | +| netflow.data_records_reliability | | boolean | +| netflow.delta_flow_count | | long | +| netflow.destination_ipv4_address | | ip | +| netflow.destination_ipv4_prefix | | ip | +| netflow.destination_ipv4_prefix_length | | short | +| netflow.destination_ipv6_address | | ip | +| netflow.destination_ipv6_prefix | | ip | +| netflow.destination_ipv6_prefix_length | | short | +| netflow.destination_mac_address | | keyword | +| netflow.destination_transport_port | | integer | +| netflow.digest_hash_value | | long | +| netflow.distinct_count_of_destination_ip_address | | long | +| netflow.distinct_count_of_destination_ipv4_address | | long | +| netflow.distinct_count_of_destination_ipv6_address | | long | +| netflow.distinct_count_of_source_ip_address | | long | +| netflow.distinct_count_of_source_ipv4_address | | long | +| netflow.distinct_count_of_source_ipv6_address | | long | +| netflow.dns_authoritative | | short | +| netflow.dns_cname | | keyword | +| netflow.dns_id | | integer | +| netflow.dns_mx_exchange | | keyword | +| netflow.dns_mx_preference | | integer | +| netflow.dns_nsd_name | | keyword | +| netflow.dns_nx_domain | | short | +| netflow.dns_ptrd_name | | keyword | +| netflow.dns_qname | | keyword | +| netflow.dns_qr_type | | integer | +| netflow.dns_query_response | | short | +| netflow.dns_rr_section | | short | +| netflow.dns_soa_expire | | long | +| netflow.dns_soa_minimum | | long | +| netflow.dns_soa_refresh | | long | +| netflow.dns_soa_retry | | long | +| netflow.dns_soa_serial | | long | +| netflow.dns_soam_name | | keyword | +| netflow.dns_soar_name | | keyword | +| netflow.dns_srv_port | | integer | +| netflow.dns_srv_priority | | integer | +| netflow.dns_srv_target | | integer | +| netflow.dns_srv_weight | | integer | +| netflow.dns_ttl | | long | +| netflow.dns_txt_data | | keyword | +| netflow.dot1q_customer_dei | | boolean | +| netflow.dot1q_customer_destination_mac_address | | keyword | +| netflow.dot1q_customer_priority | | short | +| netflow.dot1q_customer_source_mac_address | | keyword | +| netflow.dot1q_customer_vlan_id | | integer | +| netflow.dot1q_dei | | boolean | +| netflow.dot1q_priority | | short | +| netflow.dot1q_service_instance_id | | long | +| netflow.dot1q_service_instance_priority | | short | +| netflow.dot1q_service_instance_tag | | short | +| netflow.dot1q_vlan_id | | integer | +| netflow.dropped_layer2_octet_delta_count | | long | +| netflow.dropped_layer2_octet_total_count | | long | +| netflow.dropped_octet_delta_count | | long | +| netflow.dropped_octet_total_count | | long | +| netflow.dropped_packet_delta_count | | long | +| netflow.dropped_packet_total_count | | long | +| netflow.dst_traffic_index | | long | +| netflow.egress_broadcast_packet_total_count | | long | +| netflow.egress_interface | | long | +| netflow.egress_interface_type | | long | +| netflow.egress_physical_interface | | long | +| netflow.egress_unicast_packet_total_count | | long | +| netflow.egress_vrfid | | long | +| netflow.encrypted_technology | | keyword | +| netflow.engine_id | | short | +| netflow.engine_type | | short | +| netflow.ethernet_header_length | | short | +| netflow.ethernet_payload_length | | integer | +| netflow.ethernet_total_length | | integer | +| netflow.ethernet_type | | integer | +| netflow.expired_fragment_count | | long | +| netflow.export_interface | | long | +| netflow.export_protocol_version | | short | +| netflow.export_sctp_stream_id | | integer | +| netflow.export_transport_protocol | | short | +| netflow.exported_flow_record_total_count | | long | +| netflow.exported_message_total_count | | long | +| netflow.exported_octet_total_count | | long | +| netflow.exporter.address | Exporter's network address in IP:port format. | keyword | +| netflow.exporter.source_id | Observation domain ID to which this record belongs. | long | +| netflow.exporter.timestamp | Time and date of export. | date | +| netflow.exporter.uptime_millis | How long the exporter process has been running, in milliseconds. | long | +| netflow.exporter.version | NetFlow version used. | integer | +| netflow.exporter_certificate | | short | +| netflow.exporter_ipv4_address | | ip | +| netflow.exporter_ipv6_address | | ip | +| netflow.exporter_transport_port | | integer | +| netflow.exporting_process_id | | long | +| netflow.external_address_realm | | short | +| netflow.firewall_event | | short | +| netflow.first_eight_non_empty_packet_directions | | short | +| netflow.first_non_empty_packet_size | | integer | +| netflow.first_packet_banner | | keyword | +| netflow.flags_and_sampler_id | | long | +| netflow.flow_active_timeout | | integer | +| netflow.flow_attributes | | integer | +| netflow.flow_direction | | short | +| netflow.flow_duration_microseconds | | long | +| netflow.flow_duration_milliseconds | | long | +| netflow.flow_end_delta_microseconds | | long | +| netflow.flow_end_microseconds | | date | +| netflow.flow_end_milliseconds | | date | +| netflow.flow_end_nanoseconds | | date | +| netflow.flow_end_reason | | short | +| netflow.flow_end_seconds | | date | +| netflow.flow_end_sys_up_time | | long | +| netflow.flow_id | | long | +| netflow.flow_idle_timeout | | integer | +| netflow.flow_key_indicator | | long | +| netflow.flow_label_ipv6 | | long | +| netflow.flow_sampling_time_interval | | long | +| netflow.flow_sampling_time_spacing | | long | +| netflow.flow_selected_flow_delta_count | | long | +| netflow.flow_selected_octet_delta_count | | long | +| netflow.flow_selected_packet_delta_count | | long | +| netflow.flow_selector_algorithm | | integer | +| netflow.flow_start_delta_microseconds | | long | +| netflow.flow_start_microseconds | | date | +| netflow.flow_start_milliseconds | | date | +| netflow.flow_start_nanoseconds | | date | +| netflow.flow_start_seconds | | date | +| netflow.flow_start_sys_up_time | | long | +| netflow.flow_table_flush_event_count | | long | +| netflow.flow_table_peak_count | | long | +| netflow.forwarding_status | | short | +| netflow.fragment_flags | | short | +| netflow.fragment_identification | | long | +| netflow.fragment_offset | | integer | +| netflow.fw_blackout_secs | | long | +| netflow.fw_configured_value | | long | +| netflow.fw_cts_src_sgt | | long | +| netflow.fw_event_level | | long | +| netflow.fw_event_level_id | | long | +| netflow.fw_ext_event | | integer | +| netflow.fw_ext_event_alt | | long | +| netflow.fw_ext_event_desc | | keyword | +| netflow.fw_half_open_count | | long | +| netflow.fw_half_open_high | | long | +| netflow.fw_half_open_rate | | long | +| netflow.fw_max_sessions | | long | +| netflow.fw_rule | | keyword | +| netflow.fw_summary_pkt_count | | long | +| netflow.fw_zone_pair_id | | long | +| netflow.fw_zone_pair_name | | long | +| netflow.global_address_mapping_high_threshold | | long | +| netflow.gre_key | | long | +| netflow.hash_digest_output | | boolean | +| netflow.hash_flow_domain | | integer | +| netflow.hash_initialiser_value | | long | +| netflow.hash_ip_payload_offset | | long | +| netflow.hash_ip_payload_size | | long | +| netflow.hash_output_range_max | | long | +| netflow.hash_output_range_min | | long | +| netflow.hash_selected_range_max | | long | +| netflow.hash_selected_range_min | | long | +| netflow.http_content_type | | keyword | +| netflow.http_message_version | | keyword | +| netflow.http_reason_phrase | | keyword | +| netflow.http_request_host | | keyword | +| netflow.http_request_method | | keyword | +| netflow.http_request_target | | keyword | +| netflow.http_status_code | | integer | +| netflow.http_user_agent | | keyword | +| netflow.icmp_code_ipv4 | | short | +| netflow.icmp_code_ipv6 | | short | +| netflow.icmp_type_code_ipv4 | | integer | +| netflow.icmp_type_code_ipv6 | | integer | +| netflow.icmp_type_ipv4 | | short | +| netflow.icmp_type_ipv6 | | short | +| netflow.igmp_type | | short | +| netflow.ignored_data_record_total_count | | long | +| netflow.ignored_layer2_frame_total_count | | long | +| netflow.ignored_layer2_octet_total_count | | long | +| netflow.ignored_octet_total_count | | long | +| netflow.ignored_packet_total_count | | long | +| netflow.information_element_data_type | | short | +| netflow.information_element_description | | keyword | +| netflow.information_element_id | | integer | +| netflow.information_element_index | | integer | +| netflow.information_element_name | | keyword | +| netflow.information_element_range_begin | | long | +| netflow.information_element_range_end | | long | +| netflow.information_element_semantics | | short | +| netflow.information_element_units | | integer | +| netflow.ingress_broadcast_packet_total_count | | long | +| netflow.ingress_interface | | long | +| netflow.ingress_interface_type | | long | +| netflow.ingress_multicast_packet_total_count | | long | +| netflow.ingress_physical_interface | | long | +| netflow.ingress_unicast_packet_total_count | | long | +| netflow.ingress_vrfid | | long | +| netflow.initial_tcp_flags | | short | +| netflow.initiator_octets | | long | +| netflow.initiator_packets | | long | +| netflow.interface_description | | keyword | +| netflow.interface_name | | keyword | +| netflow.intermediate_process_id | | long | +| netflow.internal_address_realm | | short | +| netflow.ip_class_of_service | | short | +| netflow.ip_diff_serv_code_point | | short | +| netflow.ip_header_length | | short | +| netflow.ip_header_packet_section | | short | +| netflow.ip_next_hop_ipv4_address | | ip | +| netflow.ip_next_hop_ipv6_address | | ip | +| netflow.ip_payload_length | | long | +| netflow.ip_payload_packet_section | | short | +| netflow.ip_precedence | | short | +| netflow.ip_sec_spi | | long | +| netflow.ip_total_length | | long | +| netflow.ip_ttl | | short | +| netflow.ip_version | | short | +| netflow.ipv4_ihl | | short | +| netflow.ipv4_options | | long | +| netflow.ipv4_router_sc | | ip | +| netflow.ipv6_extension_headers | | long | +| netflow.is_multicast | | short | +| netflow.ixia_browser_id | | short | +| netflow.ixia_browser_name | | keyword | +| netflow.ixia_device_id | | short | +| netflow.ixia_device_name | | keyword | +| netflow.ixia_dns_answer | | keyword | +| netflow.ixia_dns_classes | | keyword | +| netflow.ixia_dns_query | | keyword | +| netflow.ixia_dns_record_txt | | keyword | +| netflow.ixia_dst_as_name | | keyword | +| netflow.ixia_dst_city_name | | keyword | +| netflow.ixia_dst_country_code | | keyword | +| netflow.ixia_dst_country_name | | keyword | +| netflow.ixia_dst_latitude | | float | +| netflow.ixia_dst_longitude | | float | +| netflow.ixia_dst_region_code | | keyword | +| netflow.ixia_dst_region_node | | keyword | +| netflow.ixia_encrypt_cipher | | keyword | +| netflow.ixia_encrypt_key_length | | integer | +| netflow.ixia_encrypt_type | | keyword | +| netflow.ixia_http_host_name | | keyword | +| netflow.ixia_http_uri | | keyword | +| netflow.ixia_http_user_agent | | keyword | +| netflow.ixia_imsi_subscriber | | keyword | +| netflow.ixia_l7_app_id | | long | +| netflow.ixia_l7_app_name | | keyword | +| netflow.ixia_latency | | long | +| netflow.ixia_rev_octet_delta_count | | long | +| netflow.ixia_rev_packet_delta_count | | long | +| netflow.ixia_src_as_name | | keyword | +| netflow.ixia_src_city_name | | keyword | +| netflow.ixia_src_country_code | | keyword | +| netflow.ixia_src_country_name | | keyword | +| netflow.ixia_src_latitude | | float | +| netflow.ixia_src_longitude | | float | +| netflow.ixia_src_region_code | | keyword | +| netflow.ixia_src_region_name | | keyword | +| netflow.ixia_threat_ipv4 | | ip | +| netflow.ixia_threat_ipv6 | | ip | +| netflow.ixia_threat_type | | keyword | +| netflow.large_packet_count | | long | +| netflow.layer2_frame_delta_count | | long | +| netflow.layer2_frame_total_count | | long | +| netflow.layer2_octet_delta_count | | long | +| netflow.layer2_octet_delta_sum_of_squares | | long | +| netflow.layer2_octet_total_count | | long | +| netflow.layer2_octet_total_sum_of_squares | | long | +| netflow.layer2_segment_id | | long | +| netflow.layer2packet_section_data | | short | +| netflow.layer2packet_section_offset | | integer | +| netflow.layer2packet_section_size | | integer | +| netflow.line_card_id | | long | +| netflow.log_op | | short | +| netflow.lower_ci_limit | | double | +| netflow.mark | | long | +| netflow.max_bib_entries | | long | +| netflow.max_entries_per_user | | long | +| netflow.max_export_seconds | | date | +| netflow.max_flow_end_microseconds | | date | +| netflow.max_flow_end_milliseconds | | date | +| netflow.max_flow_end_nanoseconds | | date | +| netflow.max_flow_end_seconds | | date | +| netflow.max_fragments_pending_reassembly | | long | +| netflow.max_packet_size | | integer | +| netflow.max_session_entries | | long | +| netflow.max_subscribers | | long | +| netflow.maximum_ip_total_length | | long | +| netflow.maximum_layer2_total_length | | long | +| netflow.maximum_ttl | | short | +| netflow.mean_flow_rate | | long | +| netflow.mean_packet_rate | | long | +| netflow.message_md5_checksum | | short | +| netflow.message_scope | | short | +| netflow.metering_process_id | | long | +| netflow.metro_evc_id | | keyword | +| netflow.metro_evc_type | | short | +| netflow.mib_capture_time_semantics | | short | +| netflow.mib_context_engine_id | | short | +| netflow.mib_context_name | | keyword | +| netflow.mib_index_indicator | | long | +| netflow.mib_module_name | | keyword | +| netflow.mib_object_description | | keyword | +| netflow.mib_object_identifier | | short | +| netflow.mib_object_name | | keyword | +| netflow.mib_object_syntax | | keyword | +| netflow.mib_object_value_bits | | short | +| netflow.mib_object_value_counter | | long | +| netflow.mib_object_value_gauge | | long | +| netflow.mib_object_value_integer | | integer | +| netflow.mib_object_value_ip_address | | ip | +| netflow.mib_object_value_octet_string | | short | +| netflow.mib_object_value_oid | | short | +| netflow.mib_object_value_time_ticks | | long | +| netflow.mib_object_value_unsigned | | long | +| netflow.mib_sub_identifier | | long | +| netflow.min_export_seconds | | date | +| netflow.min_flow_start_microseconds | | date | +| netflow.min_flow_start_milliseconds | | date | +| netflow.min_flow_start_nanoseconds | | date | +| netflow.min_flow_start_seconds | | date | +| netflow.minimum_ip_total_length | | long | +| netflow.minimum_layer2_total_length | | long | +| netflow.minimum_ttl | | short | +| netflow.mobile_imsi | | keyword | +| netflow.mobile_msisdn | | keyword | +| netflow.monitoring_interval_end_milli_seconds | | date | +| netflow.monitoring_interval_start_milli_seconds | | date | +| netflow.mpls_label_stack_depth | | long | +| netflow.mpls_label_stack_length | | long | +| netflow.mpls_label_stack_section | | short | +| netflow.mpls_label_stack_section10 | | short | +| netflow.mpls_label_stack_section2 | | short | +| netflow.mpls_label_stack_section3 | | short | +| netflow.mpls_label_stack_section4 | | short | +| netflow.mpls_label_stack_section5 | | short | +| netflow.mpls_label_stack_section6 | | short | +| netflow.mpls_label_stack_section7 | | short | +| netflow.mpls_label_stack_section8 | | short | +| netflow.mpls_label_stack_section9 | | short | +| netflow.mpls_payload_length | | long | +| netflow.mpls_payload_packet_section | | short | +| netflow.mpls_top_label_exp | | short | +| netflow.mpls_top_label_ipv4_address | | ip | +| netflow.mpls_top_label_ipv6_address | | ip | +| netflow.mpls_top_label_prefix_length | | short | +| netflow.mpls_top_label_stack_section | | short | +| netflow.mpls_top_label_ttl | | short | +| netflow.mpls_top_label_type | | short | +| netflow.mpls_vpn_route_distinguisher | | short | +| netflow.mptcp_address_id | | short | +| netflow.mptcp_flags | | short | +| netflow.mptcp_initial_data_sequence_number | | long | +| netflow.mptcp_maximum_segment_size | | integer | +| netflow.mptcp_receiver_token | | long | +| netflow.multicast_replication_factor | | long | +| netflow.nat_event | | short | +| netflow.nat_inside_svcid | | integer | +| netflow.nat_instance_id | | long | +| netflow.nat_originating_address_realm | | short | +| netflow.nat_outside_svcid | | integer | +| netflow.nat_pool_id | | long | +| netflow.nat_pool_name | | keyword | +| netflow.nat_quota_exceeded_event | | long | +| netflow.nat_sub_string | | keyword | +| netflow.nat_threshold_event | | long | +| netflow.nat_type | | short | +| netflow.netscale_ica_client_version | | keyword | +| netflow.netscaler_aaa_username | | keyword | +| netflow.netscaler_app_name | | keyword | +| netflow.netscaler_app_name_app_id | | long | +| netflow.netscaler_app_name_incarnation_number | | long | +| netflow.netscaler_app_template_name | | keyword | +| netflow.netscaler_app_unit_name_app_id | | long | +| netflow.netscaler_application_startup_duration | | long | +| netflow.netscaler_application_startup_time | | long | +| netflow.netscaler_cache_redir_client_connection_core_id | | long | +| netflow.netscaler_cache_redir_client_connection_transaction_id | | long | +| netflow.netscaler_client_rtt | | long | +| netflow.netscaler_connection_chain_hop_count | | long | +| netflow.netscaler_connection_chain_id | | short | +| netflow.netscaler_connection_id | | long | +| netflow.netscaler_current_license_consumed | | long | +| netflow.netscaler_db_clt_host_name | | keyword | +| netflow.netscaler_db_database_name | | keyword | +| netflow.netscaler_db_login_flags | | long | +| netflow.netscaler_db_protocol_name | | short | +| netflow.netscaler_db_req_string | | keyword | +| netflow.netscaler_db_req_type | | short | +| netflow.netscaler_db_resp_length | | long | +| netflow.netscaler_db_resp_status | | long | +| netflow.netscaler_db_resp_status_string | | keyword | +| netflow.netscaler_db_user_name | | keyword | +| netflow.netscaler_flow_flags | | long | +| netflow.netscaler_http_client_interaction_end_time | | keyword | +| netflow.netscaler_http_client_interaction_start_time | | keyword | +| netflow.netscaler_http_client_render_end_time | | keyword | +| netflow.netscaler_http_client_render_start_time | | keyword | +| netflow.netscaler_http_content_type | | keyword | +| netflow.netscaler_http_domain_name | | keyword | +| netflow.netscaler_http_req_authorization | | keyword | +| netflow.netscaler_http_req_cookie | | keyword | +| netflow.netscaler_http_req_forw_fb | | long | +| netflow.netscaler_http_req_forw_lb | | long | +| netflow.netscaler_http_req_host | | keyword | +| netflow.netscaler_http_req_method | | keyword | +| netflow.netscaler_http_req_rcv_fb | | long | +| netflow.netscaler_http_req_rcv_lb | | long | +| netflow.netscaler_http_req_referer | | keyword | +| netflow.netscaler_http_req_url | | keyword | +| netflow.netscaler_http_req_user_agent | | keyword | +| netflow.netscaler_http_req_via | | keyword | +| netflow.netscaler_http_req_xforwarded_for | | keyword | +| netflow.netscaler_http_res_forw_fb | | long | +| netflow.netscaler_http_res_forw_lb | | long | +| netflow.netscaler_http_res_location | | keyword | +| netflow.netscaler_http_res_rcv_fb | | long | +| netflow.netscaler_http_res_rcv_lb | | long | +| netflow.netscaler_http_res_set_cookie | | keyword | +| netflow.netscaler_http_res_set_cookie2 | | keyword | +| netflow.netscaler_http_rsp_len | | long | +| netflow.netscaler_http_rsp_status | | integer | +| netflow.netscaler_ica_app_module_path | | keyword | +| netflow.netscaler_ica_app_process_id | | long | +| netflow.netscaler_ica_application_name | | keyword | +| netflow.netscaler_ica_application_termination_time | | long | +| netflow.netscaler_ica_application_termination_type | | integer | +| netflow.netscaler_ica_channel_id1 | | long | +| netflow.netscaler_ica_channel_id1_bytes | | long | +| netflow.netscaler_ica_channel_id2 | | long | +| netflow.netscaler_ica_channel_id2_bytes | | long | +| netflow.netscaler_ica_channel_id3 | | long | +| netflow.netscaler_ica_channel_id3_bytes | | long | +| netflow.netscaler_ica_channel_id4 | | long | +| netflow.netscaler_ica_channel_id4_bytes | | long | +| netflow.netscaler_ica_channel_id5 | | long | +| netflow.netscaler_ica_channel_id5_bytes | | long | +| netflow.netscaler_ica_client_host_name | | keyword | +| netflow.netscaler_ica_client_ip | | ip | +| netflow.netscaler_ica_client_launcher | | integer | +| netflow.netscaler_ica_client_side_rto_count | | integer | +| netflow.netscaler_ica_client_side_window_size | | integer | +| netflow.netscaler_ica_client_type | | integer | +| netflow.netscaler_ica_clientside_delay | | long | +| netflow.netscaler_ica_clientside_jitter | | long | +| netflow.netscaler_ica_clientside_packets_retransmit | | integer | +| netflow.netscaler_ica_clientside_rtt | | long | +| netflow.netscaler_ica_clientside_rx_bytes | | long | +| netflow.netscaler_ica_clientside_srtt | | long | +| netflow.netscaler_ica_clientside_tx_bytes | | long | +| netflow.netscaler_ica_connection_priority | | integer | +| netflow.netscaler_ica_device_serial_no | | long | +| netflow.netscaler_ica_domain_name | | keyword | +| netflow.netscaler_ica_flags | | long | +| netflow.netscaler_ica_host_delay | | long | +| netflow.netscaler_ica_l7_client_latency | | long | +| netflow.netscaler_ica_l7_server_latency | | long | +| netflow.netscaler_ica_launch_mechanism | | integer | +| netflow.netscaler_ica_network_update_end_time | | long | +| netflow.netscaler_ica_network_update_start_time | | long | +| netflow.netscaler_ica_rtt | | long | +| netflow.netscaler_ica_server_name | | keyword | +| netflow.netscaler_ica_server_side_rto_count | | integer | +| netflow.netscaler_ica_server_side_window_size | | integer | +| netflow.netscaler_ica_serverside_delay | | long | +| netflow.netscaler_ica_serverside_jitter | | long | +| netflow.netscaler_ica_serverside_packets_retransmit | | integer | +| netflow.netscaler_ica_serverside_rtt | | long | +| netflow.netscaler_ica_serverside_srtt | | long | +| netflow.netscaler_ica_session_end_time | | long | +| netflow.netscaler_ica_session_guid | | short | +| netflow.netscaler_ica_session_reconnects | | short | +| netflow.netscaler_ica_session_setup_time | | long | +| netflow.netscaler_ica_session_update_begin_sec | | long | +| netflow.netscaler_ica_session_update_end_sec | | long | +| netflow.netscaler_ica_username | | keyword | +| netflow.netscaler_license_type | | short | +| netflow.netscaler_main_page_core_id | | long | +| netflow.netscaler_main_page_id | | long | +| netflow.netscaler_max_license_count | | long | +| netflow.netscaler_msi_client_cookie | | short | +| netflow.netscaler_round_trip_time | | long | +| netflow.netscaler_server_ttfb | | long | +| netflow.netscaler_server_ttlb | | long | +| netflow.netscaler_syslog_message | | keyword | +| netflow.netscaler_syslog_priority | | short | +| netflow.netscaler_syslog_timestamp | | long | +| netflow.netscaler_transaction_id | | long | +| netflow.netscaler_unknown270 | | long | +| netflow.netscaler_unknown271 | | long | +| netflow.netscaler_unknown272 | | long | +| netflow.netscaler_unknown273 | | long | +| netflow.netscaler_unknown274 | | long | +| netflow.netscaler_unknown275 | | long | +| netflow.netscaler_unknown276 | | long | +| netflow.netscaler_unknown277 | | long | +| netflow.netscaler_unknown278 | | long | +| netflow.netscaler_unknown279 | | long | +| netflow.netscaler_unknown280 | | long | +| netflow.netscaler_unknown281 | | long | +| netflow.netscaler_unknown282 | | long | +| netflow.netscaler_unknown283 | | long | +| netflow.netscaler_unknown284 | | long | +| netflow.netscaler_unknown285 | | long | +| netflow.netscaler_unknown286 | | long | +| netflow.netscaler_unknown287 | | long | +| netflow.netscaler_unknown288 | | long | +| netflow.netscaler_unknown289 | | long | +| netflow.netscaler_unknown290 | | long | +| netflow.netscaler_unknown291 | | long | +| netflow.netscaler_unknown292 | | long | +| netflow.netscaler_unknown293 | | long | +| netflow.netscaler_unknown294 | | long | +| netflow.netscaler_unknown295 | | long | +| netflow.netscaler_unknown296 | | long | +| netflow.netscaler_unknown297 | | long | +| netflow.netscaler_unknown298 | | long | +| netflow.netscaler_unknown299 | | long | +| netflow.netscaler_unknown300 | | long | +| netflow.netscaler_unknown301 | | long | +| netflow.netscaler_unknown302 | | long | +| netflow.netscaler_unknown303 | | long | +| netflow.netscaler_unknown304 | | long | +| netflow.netscaler_unknown305 | | long | +| netflow.netscaler_unknown306 | | long | +| netflow.netscaler_unknown307 | | long | +| netflow.netscaler_unknown308 | | long | +| netflow.netscaler_unknown309 | | long | +| netflow.netscaler_unknown310 | | long | +| netflow.netscaler_unknown311 | | long | +| netflow.netscaler_unknown312 | | long | +| netflow.netscaler_unknown313 | | long | +| netflow.netscaler_unknown314 | | long | +| netflow.netscaler_unknown315 | | long | +| netflow.netscaler_unknown316 | | keyword | +| netflow.netscaler_unknown317 | | long | +| netflow.netscaler_unknown318 | | long | +| netflow.netscaler_unknown319 | | keyword | +| netflow.netscaler_unknown320 | | integer | +| netflow.netscaler_unknown321 | | long | +| netflow.netscaler_unknown322 | | long | +| netflow.netscaler_unknown323 | | integer | +| netflow.netscaler_unknown324 | | integer | +| netflow.netscaler_unknown325 | | integer | +| netflow.netscaler_unknown326 | | integer | +| netflow.netscaler_unknown327 | | long | +| netflow.netscaler_unknown328 | | integer | +| netflow.netscaler_unknown329 | | integer | +| netflow.netscaler_unknown330 | | integer | +| netflow.netscaler_unknown331 | | integer | +| netflow.netscaler_unknown332 | | long | +| netflow.netscaler_unknown333 | | keyword | +| netflow.netscaler_unknown334 | | keyword | +| netflow.netscaler_unknown335 | | long | +| netflow.netscaler_unknown336 | | long | +| netflow.netscaler_unknown337 | | long | +| netflow.netscaler_unknown338 | | long | +| netflow.netscaler_unknown339 | | long | +| netflow.netscaler_unknown340 | | long | +| netflow.netscaler_unknown341 | | long | +| netflow.netscaler_unknown342 | | long | +| netflow.netscaler_unknown343 | | long | +| netflow.netscaler_unknown344 | | long | +| netflow.netscaler_unknown345 | | long | +| netflow.netscaler_unknown346 | | long | +| netflow.netscaler_unknown347 | | long | +| netflow.netscaler_unknown348 | | integer | +| netflow.netscaler_unknown349 | | keyword | +| netflow.netscaler_unknown350 | | keyword | +| netflow.netscaler_unknown351 | | keyword | +| netflow.netscaler_unknown352 | | integer | +| netflow.netscaler_unknown353 | | long | +| netflow.netscaler_unknown354 | | long | +| netflow.netscaler_unknown355 | | long | +| netflow.netscaler_unknown356 | | long | +| netflow.netscaler_unknown357 | | long | +| netflow.netscaler_unknown363 | | short | +| netflow.netscaler_unknown383 | | short | +| netflow.netscaler_unknown391 | | long | +| netflow.netscaler_unknown398 | | long | +| netflow.netscaler_unknown404 | | long | +| netflow.netscaler_unknown405 | | long | +| netflow.netscaler_unknown427 | | long | +| netflow.netscaler_unknown429 | | short | +| netflow.netscaler_unknown432 | | short | +| netflow.netscaler_unknown433 | | short | +| netflow.netscaler_unknown453 | | long | +| netflow.netscaler_unknown465 | | long | +| netflow.new_connection_delta_count | | long | +| netflow.next_header_ipv6 | | short | +| netflow.non_empty_packet_count | | long | +| netflow.not_sent_flow_total_count | | long | +| netflow.not_sent_layer2_octet_total_count | | long | +| netflow.not_sent_octet_total_count | | long | +| netflow.not_sent_packet_total_count | | long | +| netflow.observation_domain_id | | long | +| netflow.observation_domain_name | | keyword | +| netflow.observation_point_id | | long | +| netflow.observation_point_type | | short | +| netflow.observation_time_microseconds | | date | +| netflow.observation_time_milliseconds | | date | +| netflow.observation_time_nanoseconds | | date | +| netflow.observation_time_seconds | | date | +| netflow.observed_flow_total_count | | long | +| netflow.octet_delta_count | | long | +| netflow.octet_delta_sum_of_squares | | long | +| netflow.octet_total_count | | long | +| netflow.octet_total_sum_of_squares | | long | +| netflow.opaque_octets | | short | +| netflow.original_exporter_ipv4_address | | ip | +| netflow.original_exporter_ipv6_address | | ip | +| netflow.original_flows_completed | | long | +| netflow.original_flows_initiated | | long | +| netflow.original_flows_present | | long | +| netflow.original_observation_domain_id | | long | +| netflow.os_finger_print | | keyword | +| netflow.os_name | | keyword | +| netflow.os_version | | keyword | +| netflow.p2p_technology | | keyword | +| netflow.packet_delta_count | | long | +| netflow.packet_total_count | | long | +| netflow.padding_octets | | short | +| netflow.payload | | keyword | +| netflow.payload_entropy | | short | +| netflow.payload_length_ipv6 | | integer | +| netflow.policy_qos_classification_hierarchy | | long | +| netflow.policy_qos_queue_index | | long | +| netflow.policy_qos_queuedrops | | long | +| netflow.policy_qos_queueindex | | long | +| netflow.port_id | | long | +| netflow.port_range_end | | integer | +| netflow.port_range_num_ports | | integer | +| netflow.port_range_start | | integer | +| netflow.port_range_step_size | | integer | +| netflow.post_destination_mac_address | | keyword | +| netflow.post_dot1q_customer_vlan_id | | integer | +| netflow.post_dot1q_vlan_id | | integer | +| netflow.post_ip_class_of_service | | short | +| netflow.post_ip_diff_serv_code_point | | short | +| netflow.post_ip_precedence | | short | +| netflow.post_layer2_octet_delta_count | | long | +| netflow.post_layer2_octet_total_count | | long | +| netflow.post_mcast_layer2_octet_delta_count | | long | +| netflow.post_mcast_layer2_octet_total_count | | long | +| netflow.post_mcast_octet_delta_count | | long | +| netflow.post_mcast_octet_total_count | | long | +| netflow.post_mcast_packet_delta_count | | long | +| netflow.post_mcast_packet_total_count | | long | +| netflow.post_mpls_top_label_exp | | short | +| netflow.post_napt_destination_transport_port | | integer | +| netflow.post_napt_source_transport_port | | integer | +| netflow.post_nat_destination_ipv4_address | | ip | +| netflow.post_nat_destination_ipv6_address | | ip | +| netflow.post_nat_source_ipv4_address | | ip | +| netflow.post_nat_source_ipv6_address | | ip | +| netflow.post_octet_delta_count | | long | +| netflow.post_octet_total_count | | long | +| netflow.post_packet_delta_count | | long | +| netflow.post_packet_total_count | | long | +| netflow.post_source_mac_address | | keyword | +| netflow.post_vlan_id | | integer | +| netflow.private_enterprise_number | | long | +| netflow.procera_apn | | keyword | +| netflow.procera_base_service | | keyword | +| netflow.procera_content_categories | | keyword | +| netflow.procera_device_id | | long | +| netflow.procera_external_rtt | | integer | +| netflow.procera_flow_behavior | | keyword | +| netflow.procera_ggsn | | keyword | +| netflow.procera_http_content_type | | keyword | +| netflow.procera_http_file_length | | long | +| netflow.procera_http_language | | keyword | +| netflow.procera_http_location | | keyword | +| netflow.procera_http_referer | | keyword | +| netflow.procera_http_request_method | | keyword | +| netflow.procera_http_request_version | | keyword | +| netflow.procera_http_response_status | | integer | +| netflow.procera_http_url | | keyword | +| netflow.procera_http_user_agent | | keyword | +| netflow.procera_imsi | | long | +| netflow.procera_incoming_octets | | long | +| netflow.procera_incoming_packets | | long | +| netflow.procera_incoming_shaping_drops | | long | +| netflow.procera_incoming_shaping_latency | | integer | +| netflow.procera_internal_rtt | | integer | +| netflow.procera_local_ipv4_host | | ip | +| netflow.procera_local_ipv6_host | | ip | +| netflow.procera_msisdn | | long | +| netflow.procera_outgoing_octets | | long | +| netflow.procera_outgoing_packets | | long | +| netflow.procera_outgoing_shaping_drops | | long | +| netflow.procera_outgoing_shaping_latency | | integer | +| netflow.procera_property | | keyword | +| netflow.procera_qoe_incoming_external | | float | +| netflow.procera_qoe_incoming_internal | | float | +| netflow.procera_qoe_outgoing_external | | float | +| netflow.procera_qoe_outgoing_internal | | float | +| netflow.procera_rat | | keyword | +| netflow.procera_remote_ipv4_host | | ip | +| netflow.procera_remote_ipv6_host | | ip | +| netflow.procera_rnc | | integer | +| netflow.procera_server_hostname | | keyword | +| netflow.procera_service | | keyword | +| netflow.procera_sgsn | | keyword | +| netflow.procera_subscriber_identifier | | keyword | +| netflow.procera_template_name | | keyword | +| netflow.procera_user_location_information | | keyword | +| netflow.protocol_identifier | | short | +| netflow.pseudo_wire_control_word | | long | +| netflow.pseudo_wire_destination_ipv4_address | | ip | +| netflow.pseudo_wire_id | | long | +| netflow.pseudo_wire_type | | integer | +| netflow.reason | | long | +| netflow.reason_text | | keyword | +| netflow.relative_error | | double | +| netflow.responder_octets | | long | +| netflow.responder_packets | | long | +| netflow.reverse_absolute_error | | double | +| netflow.reverse_anonymization_flags | | integer | +| netflow.reverse_anonymization_technique | | integer | +| netflow.reverse_application_category_name | | keyword | +| netflow.reverse_application_description | | keyword | +| netflow.reverse_application_group_name | | keyword | +| netflow.reverse_application_id | | keyword | +| netflow.reverse_application_name | | keyword | +| netflow.reverse_application_sub_category_name | | keyword | +| netflow.reverse_average_interarrival_time | | long | +| netflow.reverse_bgp_destination_as_number | | long | +| netflow.reverse_bgp_next_adjacent_as_number | | long | +| netflow.reverse_bgp_next_hop_ipv4_address | | ip | +| netflow.reverse_bgp_next_hop_ipv6_address | | ip | +| netflow.reverse_bgp_prev_adjacent_as_number | | long | +| netflow.reverse_bgp_source_as_number | | long | +| netflow.reverse_bgp_validity_state | | short | +| netflow.reverse_class_id | | short | +| netflow.reverse_class_name | | keyword | +| netflow.reverse_classification_engine_id | | short | +| netflow.reverse_collection_time_milliseconds | | long | +| netflow.reverse_collector_certificate | | keyword | +| netflow.reverse_confidence_level | | double | +| netflow.reverse_connection_sum_duration_seconds | | long | +| netflow.reverse_connection_transaction_id | | long | +| netflow.reverse_data_byte_count | | long | +| netflow.reverse_data_link_frame_section | | keyword | +| netflow.reverse_data_link_frame_size | | integer | +| netflow.reverse_data_link_frame_type | | integer | +| netflow.reverse_data_records_reliability | | short | +| netflow.reverse_delta_flow_count | | long | +| netflow.reverse_destination_ipv4_address | | ip | +| netflow.reverse_destination_ipv4_prefix | | ip | +| netflow.reverse_destination_ipv4_prefix_length | | short | +| netflow.reverse_destination_ipv6_address | | ip | +| netflow.reverse_destination_ipv6_prefix | | ip | +| netflow.reverse_destination_ipv6_prefix_length | | short | +| netflow.reverse_destination_mac_address | | keyword | +| netflow.reverse_destination_transport_port | | integer | +| netflow.reverse_digest_hash_value | | long | +| netflow.reverse_distinct_count_of_destination_ip_address | | long | +| netflow.reverse_distinct_count_of_destination_ipv4_address | | long | +| netflow.reverse_distinct_count_of_destination_ipv6_address | | long | +| netflow.reverse_distinct_count_of_source_ip_address | | long | +| netflow.reverse_distinct_count_of_source_ipv4_address | | long | +| netflow.reverse_distinct_count_of_source_ipv6_address | | long | +| netflow.reverse_dot1q_customer_dei | | short | +| netflow.reverse_dot1q_customer_destination_mac_address | | keyword | +| netflow.reverse_dot1q_customer_priority | | short | +| netflow.reverse_dot1q_customer_source_mac_address | | keyword | +| netflow.reverse_dot1q_customer_vlan_id | | integer | +| netflow.reverse_dot1q_dei | | short | +| netflow.reverse_dot1q_priority | | short | +| netflow.reverse_dot1q_service_instance_id | | long | +| netflow.reverse_dot1q_service_instance_priority | | short | +| netflow.reverse_dot1q_service_instance_tag | | keyword | +| netflow.reverse_dot1q_vlan_id | | integer | +| netflow.reverse_dropped_layer2_octet_delta_count | | long | +| netflow.reverse_dropped_layer2_octet_total_count | | long | +| netflow.reverse_dropped_octet_delta_count | | long | +| netflow.reverse_dropped_octet_total_count | | long | +| netflow.reverse_dropped_packet_delta_count | | long | +| netflow.reverse_dropped_packet_total_count | | long | +| netflow.reverse_dst_traffic_index | | long | +| netflow.reverse_egress_broadcast_packet_total_count | | long | +| netflow.reverse_egress_interface | | long | +| netflow.reverse_egress_interface_type | | long | +| netflow.reverse_egress_physical_interface | | long | +| netflow.reverse_egress_unicast_packet_total_count | | long | +| netflow.reverse_egress_vrfid | | long | +| netflow.reverse_encrypted_technology | | keyword | +| netflow.reverse_engine_id | | short | +| netflow.reverse_engine_type | | short | +| netflow.reverse_ethernet_header_length | | short | +| netflow.reverse_ethernet_payload_length | | integer | +| netflow.reverse_ethernet_total_length | | integer | +| netflow.reverse_ethernet_type | | integer | +| netflow.reverse_export_sctp_stream_id | | integer | +| netflow.reverse_exporter_certificate | | keyword | +| netflow.reverse_exporting_process_id | | long | +| netflow.reverse_firewall_event | | short | +| netflow.reverse_first_non_empty_packet_size | | integer | +| netflow.reverse_first_packet_banner | | keyword | +| netflow.reverse_flags_and_sampler_id | | long | +| netflow.reverse_flow_active_timeout | | integer | +| netflow.reverse_flow_attributes | | integer | +| netflow.reverse_flow_delta_milliseconds | | long | +| netflow.reverse_flow_direction | | short | +| netflow.reverse_flow_duration_microseconds | | long | +| netflow.reverse_flow_duration_milliseconds | | long | +| netflow.reverse_flow_end_delta_microseconds | | long | +| netflow.reverse_flow_end_microseconds | | long | +| netflow.reverse_flow_end_milliseconds | | long | +| netflow.reverse_flow_end_nanoseconds | | long | +| netflow.reverse_flow_end_reason | | short | +| netflow.reverse_flow_end_seconds | | long | +| netflow.reverse_flow_end_sys_up_time | | long | +| netflow.reverse_flow_idle_timeout | | integer | +| netflow.reverse_flow_label_ipv6 | | long | +| netflow.reverse_flow_sampling_time_interval | | long | +| netflow.reverse_flow_sampling_time_spacing | | long | +| netflow.reverse_flow_selected_flow_delta_count | | long | +| netflow.reverse_flow_selected_octet_delta_count | | long | +| netflow.reverse_flow_selected_packet_delta_count | | long | +| netflow.reverse_flow_selector_algorithm | | integer | +| netflow.reverse_flow_start_delta_microseconds | | long | +| netflow.reverse_flow_start_microseconds | | long | +| netflow.reverse_flow_start_milliseconds | | long | +| netflow.reverse_flow_start_nanoseconds | | long | +| netflow.reverse_flow_start_seconds | | long | +| netflow.reverse_flow_start_sys_up_time | | long | +| netflow.reverse_forwarding_status | | long | +| netflow.reverse_fragment_flags | | short | +| netflow.reverse_fragment_identification | | long | +| netflow.reverse_fragment_offset | | integer | +| netflow.reverse_gre_key | | long | +| netflow.reverse_hash_digest_output | | short | +| netflow.reverse_hash_flow_domain | | integer | +| netflow.reverse_hash_initialiser_value | | long | +| netflow.reverse_hash_ip_payload_offset | | long | +| netflow.reverse_hash_ip_payload_size | | long | +| netflow.reverse_hash_output_range_max | | long | +| netflow.reverse_hash_output_range_min | | long | +| netflow.reverse_hash_selected_range_max | | long | +| netflow.reverse_hash_selected_range_min | | long | +| netflow.reverse_icmp_code_ipv4 | | short | +| netflow.reverse_icmp_code_ipv6 | | short | +| netflow.reverse_icmp_type_code_ipv4 | | integer | +| netflow.reverse_icmp_type_code_ipv6 | | integer | +| netflow.reverse_icmp_type_ipv4 | | short | +| netflow.reverse_icmp_type_ipv6 | | short | +| netflow.reverse_igmp_type | | short | +| netflow.reverse_ignored_data_record_total_count | | long | +| netflow.reverse_ignored_layer2_frame_total_count | | long | +| netflow.reverse_ignored_layer2_octet_total_count | | long | +| netflow.reverse_information_element_data_type | | short | +| netflow.reverse_information_element_description | | keyword | +| netflow.reverse_information_element_id | | integer | +| netflow.reverse_information_element_index | | integer | +| netflow.reverse_information_element_name | | keyword | +| netflow.reverse_information_element_range_begin | | long | +| netflow.reverse_information_element_range_end | | long | +| netflow.reverse_information_element_semantics | | short | +| netflow.reverse_information_element_units | | integer | +| netflow.reverse_ingress_broadcast_packet_total_count | | long | +| netflow.reverse_ingress_interface | | long | +| netflow.reverse_ingress_interface_type | | long | +| netflow.reverse_ingress_multicast_packet_total_count | | long | +| netflow.reverse_ingress_physical_interface | | long | +| netflow.reverse_ingress_unicast_packet_total_count | | long | +| netflow.reverse_ingress_vrfid | | long | +| netflow.reverse_initial_tcp_flags | | short | +| netflow.reverse_initiator_octets | | long | +| netflow.reverse_initiator_packets | | long | +| netflow.reverse_interface_description | | keyword | +| netflow.reverse_interface_name | | keyword | +| netflow.reverse_intermediate_process_id | | long | +| netflow.reverse_ip_class_of_service | | short | +| netflow.reverse_ip_diff_serv_code_point | | short | +| netflow.reverse_ip_header_length | | short | +| netflow.reverse_ip_header_packet_section | | keyword | +| netflow.reverse_ip_next_hop_ipv4_address | | ip | +| netflow.reverse_ip_next_hop_ipv6_address | | ip | +| netflow.reverse_ip_payload_length | | long | +| netflow.reverse_ip_payload_packet_section | | keyword | +| netflow.reverse_ip_precedence | | short | +| netflow.reverse_ip_sec_spi | | long | +| netflow.reverse_ip_total_length | | long | +| netflow.reverse_ip_ttl | | short | +| netflow.reverse_ip_version | | short | +| netflow.reverse_ipv4_ihl | | short | +| netflow.reverse_ipv4_options | | long | +| netflow.reverse_ipv4_router_sc | | ip | +| netflow.reverse_ipv6_extension_headers | | long | +| netflow.reverse_is_multicast | | short | +| netflow.reverse_large_packet_count | | long | +| netflow.reverse_layer2_frame_delta_count | | long | +| netflow.reverse_layer2_frame_total_count | | long | +| netflow.reverse_layer2_octet_delta_count | | long | +| netflow.reverse_layer2_octet_delta_sum_of_squares | | long | +| netflow.reverse_layer2_octet_total_count | | long | +| netflow.reverse_layer2_octet_total_sum_of_squares | | long | +| netflow.reverse_layer2_segment_id | | long | +| netflow.reverse_layer2packet_section_data | | keyword | +| netflow.reverse_layer2packet_section_offset | | integer | +| netflow.reverse_layer2packet_section_size | | integer | +| netflow.reverse_line_card_id | | long | +| netflow.reverse_lower_ci_limit | | double | +| netflow.reverse_max_export_seconds | | long | +| netflow.reverse_max_flow_end_microseconds | | long | +| netflow.reverse_max_flow_end_milliseconds | | long | +| netflow.reverse_max_flow_end_nanoseconds | | long | +| netflow.reverse_max_flow_end_seconds | | long | +| netflow.reverse_max_packet_size | | integer | +| netflow.reverse_maximum_ip_total_length | | long | +| netflow.reverse_maximum_layer2_total_length | | long | +| netflow.reverse_maximum_ttl | | short | +| netflow.reverse_message_md5_checksum | | keyword | +| netflow.reverse_message_scope | | short | +| netflow.reverse_metering_process_id | | long | +| netflow.reverse_metro_evc_id | | keyword | +| netflow.reverse_metro_evc_type | | short | +| netflow.reverse_min_export_seconds | | long | +| netflow.reverse_min_flow_start_microseconds | | long | +| netflow.reverse_min_flow_start_milliseconds | | long | +| netflow.reverse_min_flow_start_nanoseconds | | long | +| netflow.reverse_min_flow_start_seconds | | long | +| netflow.reverse_minimum_ip_total_length | | long | +| netflow.reverse_minimum_layer2_total_length | | long | +| netflow.reverse_minimum_ttl | | short | +| netflow.reverse_monitoring_interval_end_milli_seconds | | long | +| netflow.reverse_monitoring_interval_start_milli_seconds | | long | +| netflow.reverse_mpls_label_stack_depth | | long | +| netflow.reverse_mpls_label_stack_length | | long | +| netflow.reverse_mpls_label_stack_section | | keyword | +| netflow.reverse_mpls_label_stack_section10 | | keyword | +| netflow.reverse_mpls_label_stack_section2 | | keyword | +| netflow.reverse_mpls_label_stack_section3 | | keyword | +| netflow.reverse_mpls_label_stack_section4 | | keyword | +| netflow.reverse_mpls_label_stack_section5 | | keyword | +| netflow.reverse_mpls_label_stack_section6 | | keyword | +| netflow.reverse_mpls_label_stack_section7 | | keyword | +| netflow.reverse_mpls_label_stack_section8 | | keyword | +| netflow.reverse_mpls_label_stack_section9 | | keyword | +| netflow.reverse_mpls_payload_length | | long | +| netflow.reverse_mpls_payload_packet_section | | keyword | +| netflow.reverse_mpls_top_label_exp | | short | +| netflow.reverse_mpls_top_label_ipv4_address | | ip | +| netflow.reverse_mpls_top_label_ipv6_address | | ip | +| netflow.reverse_mpls_top_label_prefix_length | | short | +| netflow.reverse_mpls_top_label_stack_section | | keyword | +| netflow.reverse_mpls_top_label_ttl | | short | +| netflow.reverse_mpls_top_label_type | | short | +| netflow.reverse_mpls_vpn_route_distinguisher | | keyword | +| netflow.reverse_multicast_replication_factor | | long | +| netflow.reverse_nat_event | | short | +| netflow.reverse_nat_originating_address_realm | | short | +| netflow.reverse_nat_pool_id | | long | +| netflow.reverse_nat_pool_name | | keyword | +| netflow.reverse_nat_type | | short | +| netflow.reverse_new_connection_delta_count | | long | +| netflow.reverse_next_header_ipv6 | | short | +| netflow.reverse_non_empty_packet_count | | long | +| netflow.reverse_not_sent_layer2_octet_total_count | | long | +| netflow.reverse_observation_domain_name | | keyword | +| netflow.reverse_observation_point_id | | long | +| netflow.reverse_observation_point_type | | short | +| netflow.reverse_observation_time_microseconds | | long | +| netflow.reverse_observation_time_milliseconds | | long | +| netflow.reverse_observation_time_nanoseconds | | long | +| netflow.reverse_observation_time_seconds | | long | +| netflow.reverse_octet_delta_count | | long | +| netflow.reverse_octet_delta_sum_of_squares | | long | +| netflow.reverse_octet_total_count | | long | +| netflow.reverse_octet_total_sum_of_squares | | long | +| netflow.reverse_opaque_octets | | keyword | +| netflow.reverse_original_exporter_ipv4_address | | ip | +| netflow.reverse_original_exporter_ipv6_address | | ip | +| netflow.reverse_original_flows_completed | | long | +| netflow.reverse_original_flows_initiated | | long | +| netflow.reverse_original_flows_present | | long | +| netflow.reverse_original_observation_domain_id | | long | +| netflow.reverse_os_finger_print | | keyword | +| netflow.reverse_os_name | | keyword | +| netflow.reverse_os_version | | keyword | +| netflow.reverse_p2p_technology | | keyword | +| netflow.reverse_packet_delta_count | | long | +| netflow.reverse_packet_total_count | | long | +| netflow.reverse_payload | | keyword | +| netflow.reverse_payload_entropy | | short | +| netflow.reverse_payload_length_ipv6 | | integer | +| netflow.reverse_port_id | | long | +| netflow.reverse_port_range_end | | integer | +| netflow.reverse_port_range_num_ports | | integer | +| netflow.reverse_port_range_start | | integer | +| netflow.reverse_port_range_step_size | | integer | +| netflow.reverse_post_destination_mac_address | | keyword | +| netflow.reverse_post_dot1q_customer_vlan_id | | integer | +| netflow.reverse_post_dot1q_vlan_id | | integer | +| netflow.reverse_post_ip_class_of_service | | short | +| netflow.reverse_post_ip_diff_serv_code_point | | short | +| netflow.reverse_post_ip_precedence | | short | +| netflow.reverse_post_layer2_octet_delta_count | | long | +| netflow.reverse_post_layer2_octet_total_count | | long | +| netflow.reverse_post_mcast_layer2_octet_delta_count | | long | +| netflow.reverse_post_mcast_layer2_octet_total_count | | long | +| netflow.reverse_post_mcast_octet_delta_count | | long | +| netflow.reverse_post_mcast_octet_total_count | | long | +| netflow.reverse_post_mcast_packet_delta_count | | long | +| netflow.reverse_post_mcast_packet_total_count | | long | +| netflow.reverse_post_mpls_top_label_exp | | short | +| netflow.reverse_post_napt_destination_transport_port | | integer | +| netflow.reverse_post_napt_source_transport_port | | integer | +| netflow.reverse_post_nat_destination_ipv4_address | | ip | +| netflow.reverse_post_nat_destination_ipv6_address | | ip | +| netflow.reverse_post_nat_source_ipv4_address | | ip | +| netflow.reverse_post_nat_source_ipv6_address | | ip | +| netflow.reverse_post_octet_delta_count | | long | +| netflow.reverse_post_octet_total_count | | long | +| netflow.reverse_post_packet_delta_count | | long | +| netflow.reverse_post_packet_total_count | | long | +| netflow.reverse_post_source_mac_address | | keyword | +| netflow.reverse_post_vlan_id | | integer | +| netflow.reverse_private_enterprise_number | | long | +| netflow.reverse_protocol_identifier | | short | +| netflow.reverse_pseudo_wire_control_word | | long | +| netflow.reverse_pseudo_wire_destination_ipv4_address | | ip | +| netflow.reverse_pseudo_wire_id | | long | +| netflow.reverse_pseudo_wire_type | | integer | +| netflow.reverse_relative_error | | double | +| netflow.reverse_responder_octets | | long | +| netflow.reverse_responder_packets | | long | +| netflow.reverse_rfc3550_jitter_microseconds | | long | +| netflow.reverse_rfc3550_jitter_milliseconds | | long | +| netflow.reverse_rfc3550_jitter_nanoseconds | | long | +| netflow.reverse_rtp_payload_type | | short | +| netflow.reverse_rtp_sequence_number | | integer | +| netflow.reverse_sampler_id | | short | +| netflow.reverse_sampler_mode | | short | +| netflow.reverse_sampler_name | | keyword | +| netflow.reverse_sampler_random_interval | | long | +| netflow.reverse_sampling_algorithm | | short | +| netflow.reverse_sampling_flow_interval | | long | +| netflow.reverse_sampling_flow_spacing | | long | +| netflow.reverse_sampling_interval | | long | +| netflow.reverse_sampling_packet_interval | | long | +| netflow.reverse_sampling_packet_space | | long | +| netflow.reverse_sampling_population | | long | +| netflow.reverse_sampling_probability | | double | +| netflow.reverse_sampling_size | | long | +| netflow.reverse_sampling_time_interval | | long | +| netflow.reverse_sampling_time_space | | long | +| netflow.reverse_second_packet_banner | | keyword | +| netflow.reverse_section_exported_octets | | integer | +| netflow.reverse_section_offset | | integer | +| netflow.reverse_selection_sequence_id | | long | +| netflow.reverse_selector_algorithm | | integer | +| netflow.reverse_selector_id | | long | +| netflow.reverse_selector_id_total_flows_observed | | long | +| netflow.reverse_selector_id_total_flows_selected | | long | +| netflow.reverse_selector_id_total_pkts_observed | | long | +| netflow.reverse_selector_id_total_pkts_selected | | long | +| netflow.reverse_selector_name | | keyword | +| netflow.reverse_session_scope | | short | +| netflow.reverse_small_packet_count | | long | +| netflow.reverse_source_ipv4_address | | ip | +| netflow.reverse_source_ipv4_prefix | | ip | +| netflow.reverse_source_ipv4_prefix_length | | short | +| netflow.reverse_source_ipv6_address | | ip | +| netflow.reverse_source_ipv6_prefix | | ip | +| netflow.reverse_source_ipv6_prefix_length | | short | +| netflow.reverse_source_mac_address | | keyword | +| netflow.reverse_source_transport_port | | integer | +| netflow.reverse_src_traffic_index | | long | +| netflow.reverse_sta_ipv4_address | | ip | +| netflow.reverse_sta_mac_address | | keyword | +| netflow.reverse_standard_deviation_interarrival_time | | long | +| netflow.reverse_standard_deviation_payload_length | | integer | +| netflow.reverse_system_init_time_milliseconds | | long | +| netflow.reverse_tcp_ack_total_count | | long | +| netflow.reverse_tcp_acknowledgement_number | | long | +| netflow.reverse_tcp_control_bits | | integer | +| netflow.reverse_tcp_destination_port | | integer | +| netflow.reverse_tcp_fin_total_count | | long | +| netflow.reverse_tcp_header_length | | short | +| netflow.reverse_tcp_options | | long | +| netflow.reverse_tcp_psh_total_count | | long | +| netflow.reverse_tcp_rst_total_count | | long | +| netflow.reverse_tcp_sequence_number | | long | +| netflow.reverse_tcp_source_port | | integer | +| netflow.reverse_tcp_syn_total_count | | long | +| netflow.reverse_tcp_urg_total_count | | long | +| netflow.reverse_tcp_urgent_pointer | | integer | +| netflow.reverse_tcp_window_scale | | integer | +| netflow.reverse_tcp_window_size | | integer | +| netflow.reverse_total_length_ipv4 | | integer | +| netflow.reverse_transport_octet_delta_count | | long | +| netflow.reverse_transport_packet_delta_count | | long | +| netflow.reverse_tunnel_technology | | keyword | +| netflow.reverse_udp_destination_port | | integer | +| netflow.reverse_udp_message_length | | integer | +| netflow.reverse_udp_source_port | | integer | +| netflow.reverse_union_tcp_flags | | short | +| netflow.reverse_upper_ci_limit | | double | +| netflow.reverse_user_name | | keyword | +| netflow.reverse_value_distribution_method | | short | +| netflow.reverse_virtual_station_interface_id | | keyword | +| netflow.reverse_virtual_station_interface_name | | keyword | +| netflow.reverse_virtual_station_name | | keyword | +| netflow.reverse_virtual_station_uuid | | keyword | +| netflow.reverse_vlan_id | | integer | +| netflow.reverse_vr_fname | | keyword | +| netflow.reverse_wlan_channel_id | | short | +| netflow.reverse_wlan_ssid | | keyword | +| netflow.reverse_wtp_mac_address | | keyword | +| netflow.rfc3550_jitter_microseconds | | long | +| netflow.rfc3550_jitter_milliseconds | | long | +| netflow.rfc3550_jitter_nanoseconds | | long | +| netflow.rtp_payload_type | | short | +| netflow.rtp_sequence_number | | integer | +| netflow.sampler_id | | short | +| netflow.sampler_mode | | short | +| netflow.sampler_name | | keyword | +| netflow.sampler_random_interval | | long | +| netflow.sampling_algorithm | | short | +| netflow.sampling_flow_interval | | long | +| netflow.sampling_flow_spacing | | long | +| netflow.sampling_interval | | long | +| netflow.sampling_packet_interval | | long | +| netflow.sampling_packet_space | | long | +| netflow.sampling_population | | long | +| netflow.sampling_probability | | double | +| netflow.sampling_size | | long | +| netflow.sampling_time_interval | | long | +| netflow.sampling_time_space | | long | +| netflow.second_packet_banner | | keyword | +| netflow.section_exported_octets | | integer | +| netflow.section_offset | | integer | +| netflow.selection_sequence_id | | long | +| netflow.selector_algorithm | | integer | +| netflow.selector_id | | long | +| netflow.selector_id_total_flows_observed | | long | +| netflow.selector_id_total_flows_selected | | long | +| netflow.selector_id_total_pkts_observed | | long | +| netflow.selector_id_total_pkts_selected | | long | +| netflow.selector_name | | keyword | +| netflow.service_name | | keyword | +| netflow.session_scope | | short | +| netflow.silk_app_label | | integer | +| netflow.small_packet_count | | long | +| netflow.source_ipv4_address | | ip | +| netflow.source_ipv4_prefix | | ip | +| netflow.source_ipv4_prefix_length | | short | +| netflow.source_ipv6_address | | ip | +| netflow.source_ipv6_prefix | | ip | +| netflow.source_ipv6_prefix_length | | short | +| netflow.source_mac_address | | keyword | +| netflow.source_transport_port | | integer | +| netflow.source_transport_ports_limit | | integer | +| netflow.src_traffic_index | | long | +| netflow.ssl_cert_serial_number | | keyword | +| netflow.ssl_cert_signature | | keyword | +| netflow.ssl_cert_validity_not_after | | keyword | +| netflow.ssl_cert_validity_not_before | | keyword | +| netflow.ssl_cert_version | | short | +| netflow.ssl_certificate_hash | | keyword | +| netflow.ssl_cipher | | keyword | +| netflow.ssl_client_version | | short | +| netflow.ssl_compression_method | | short | +| netflow.ssl_object_type | | keyword | +| netflow.ssl_object_value | | keyword | +| netflow.ssl_public_key_algorithm | | keyword | +| netflow.ssl_public_key_length | | keyword | +| netflow.ssl_server_cipher | | long | +| netflow.ssl_server_name | | keyword | +| netflow.sta_ipv4_address | | ip | +| netflow.sta_mac_address | | keyword | +| netflow.standard_deviation_interarrival_time | | long | +| netflow.standard_deviation_payload_length | | short | +| netflow.system_init_time_milliseconds | | date | +| netflow.tcp_ack_total_count | | long | +| netflow.tcp_acknowledgement_number | | long | +| netflow.tcp_control_bits | | integer | +| netflow.tcp_destination_port | | integer | +| netflow.tcp_fin_total_count | | long | +| netflow.tcp_header_length | | short | +| netflow.tcp_options | | long | +| netflow.tcp_psh_total_count | | long | +| netflow.tcp_rst_total_count | | long | +| netflow.tcp_sequence_number | | long | +| netflow.tcp_source_port | | integer | +| netflow.tcp_syn_total_count | | long | +| netflow.tcp_urg_total_count | | long | +| netflow.tcp_urgent_pointer | | integer | +| netflow.tcp_window_scale | | integer | +| netflow.tcp_window_size | | integer | +| netflow.template_id | | integer | +| netflow.tftp_filename | | keyword | +| netflow.tftp_mode | | keyword | +| netflow.timestamp | | long | +| netflow.timestamp_absolute_monitoring-interval | | long | +| netflow.total_length_ipv4 | | integer | +| netflow.traffic_type | | short | +| netflow.transport_octet_delta_count | | long | +| netflow.transport_packet_delta_count | | long | +| netflow.tunnel_technology | | keyword | +| netflow.type | The type of NetFlow record described by this event. | keyword | +| netflow.udp_destination_port | | integer | +| netflow.udp_message_length | | integer | +| netflow.udp_source_port | | integer | +| netflow.union_tcp_flags | | short | +| netflow.upper_ci_limit | | double | +| netflow.user_name | | keyword | +| netflow.username | | keyword | +| netflow.value_distribution_method | | short | +| netflow.viptela_vpn_id | | long | +| netflow.virtual_station_interface_id | | short | +| netflow.virtual_station_interface_name | | keyword | +| netflow.virtual_station_name | | keyword | +| netflow.virtual_station_uuid | | short | +| netflow.vlan_id | | integer | +| netflow.vmware_egress_interface_attr | | integer | +| netflow.vmware_ingress_interface_attr | | integer | +| netflow.vmware_tenant_dest_ipv4 | | ip | +| netflow.vmware_tenant_dest_ipv6 | | ip | +| netflow.vmware_tenant_dest_port | | integer | +| netflow.vmware_tenant_protocol | | short | +| netflow.vmware_tenant_source_ipv4 | | ip | +| netflow.vmware_tenant_source_ipv6 | | ip | +| netflow.vmware_tenant_source_port | | integer | +| netflow.vmware_vxlan_export_role | | short | +| netflow.vpn_identifier | | short | +| netflow.vr_fname | | keyword | +| netflow.waasoptimization_segment | | short | +| netflow.wlan_channel_id | | short | +| netflow.wlan_ssid | | keyword | +| netflow.wtp_mac_address | | keyword | +| netflow.xlate_destination_address_ip_v4 | | ip | +| netflow.xlate_destination_port | | integer | +| netflow.xlate_source_address_ip_v4 | | ip | +| netflow.xlate_source_port | | integer | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.geo.city_name | City name. | keyword | +| observer.geo.continent_name | Name of the continent. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.geo.country_name | Country name. | keyword | +| observer.geo.location | Longitude and latitude. | geo_point | +| observer.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| observer.geo.region_iso_code | Region ISO code. | keyword | +| observer.geo.region_name | Region name. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| observer.os.full | Operating system name, including the version or code name. | keyword | +| observer.os.full.text | Multi-field of `observer.os.full`. | match_only_text | +| observer.os.kernel | Operating system kernel version as a raw string. | keyword | +| observer.os.name | Operating system name, without the version. | keyword | +| observer.os.name.text | Multi-field of `observer.os.name`. | match_only_text | +| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| observer.os.version | Operating system version as a raw string. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| organization.id | Unique identifier for the organization. | keyword | +| organization.name | Organization name. | keyword | +| organization.name.text | Multi-field of `organization.name`. | match_only_text | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| os.full | Operating system name, including the version or code name. | keyword | +| os.full.text | Multi-field of `os.full`. | match_only_text | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.version | Operating system version as a raw string. | keyword | +| package.architecture | Package architecture. | keyword | +| package.checksum | Checksum of the installed package for verification. | keyword | +| package.description | Description of the package. | keyword | +| package.install_scope | Indicating how the package was installed, e.g. user-local, global. | keyword | +| package.installed | Time when package was installed. | date | +| package.license | License under which the package was released. Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). | keyword | +| package.name | Package name | keyword | +| package.path | Path where the package is installed. | keyword | +| package.size | Package size in bytes. | long | +| package.version | Package version | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pgid | Deprecated for removal in next major version release. This field is superseded by `process.group_leader.pid`. Identifier of the group of processes the process belongs to. | long | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| related.ip | All of the IPs seen on your event. | ip | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| server.as.organization.name | Organization name. | keyword | +| server.as.organization.name.text | Multi-field of `server.as.organization.name`. | match_only_text | +| server.bytes | Bytes sent from the server to the client. | long | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.geo.city_name | City name. | keyword | +| server.geo.continent_name | Name of the continent. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.geo.country_name | Country name. | keyword | +| server.geo.location | Longitude and latitude. | geo_point | +| server.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| server.geo.region_iso_code | Region ISO code. | keyword | +| server.geo.region_name | Region name. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.mac | MAC address of the server. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| server.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | +| server.nat.port | Translated port of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | long | +| server.packets | Packets sent from the server to the client. | long | +| server.port | Port of the server. | long | +| server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| server.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.email | User email address. | keyword | +| server.user.full_name | User's full name, if available. | keyword | +| server.user.full_name.text | Multi-field of `server.user.full_name`. | match_only_text | +| server.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| server.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| server.user.group.name | Name of the group. | keyword | +| server.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| server.user.id | Unique identifier of the user. | keyword | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| service.ephemeral_id | Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but `service.id` does not. | keyword | +| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | +| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| service.node.name | Name of a service node. This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. | keyword | +| service.state | Current state of the service. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.locality | Whether the source IP is private or public. | keyword | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| trace.id | Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. | keyword | +| transaction.id | Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json new file mode 100755 index 0000000000..6df6ba38b4 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "description": "Netflow Top N flows", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":24},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":24},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Top-N", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", + "name": "9:panel_9", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json new file mode 100755 index 0000000000..5121267442 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "Overview of Netflow", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":16,\"y\":12},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":32,\"y\":12},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":16,\"x\":16,\"y\":28},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-34e26884-161a-4448-9556-43b5bf2f62a2", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", + "name": "21:panel_21", + "type": "visualization" + }, + { + "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", + "name": "22:panel_22", + "type": "visualization" + }, + { + "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", + "name": "23:panel_23", + "type": "visualization" + }, + { + "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", + "name": "24:panel_24", + "type": "visualization" + }, + { + "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", + "name": "25:panel_25", + "type": "visualization" + }, + { + "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", + "name": "26:panel_26", + "type": "visualization" + }, + { + "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", + "name": "27:panel_27", + "type": "visualization" + }, + { + "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", + "name": "29:panel_29", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json new file mode 100755 index 0000000000..8c9c9643d8 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json @@ -0,0 +1,232 @@ +{ + "attributes": { + "description": "Netflow traffic analysis", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":24,\"x\":24,\"y\":84},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":108},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":108},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":84},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":16,\"x\":0,\"y\":28},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":24,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":24,\"y\":28},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":52},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":16,\"x\":24,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"21\",\"w\":16,\"x\":0,\"y\":76},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"22\",\"w\":16,\"x\":24,\"y\":76},\"panelIndex\":\"22\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"23\",\"w\":16,\"x\":0,\"y\":100},\"panelIndex\":\"23\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"24\",\"w\":16,\"x\":24,\"y\":100},\"panelIndex\":\"24\",\"panelRefName\":\"panel_24\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"25\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"25\",\"panelRefName\":\"panel_25\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"26\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"26\",\"panelRefName\":\"panel_26\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"27\",\"w\":8,\"x\":16,\"y\":4},\"panelIndex\":\"27\",\"panelRefName\":\"panel_27\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"28\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"28\",\"panelRefName\":\"panel_28\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"29\",\"w\":8,\"x\":40,\"y\":28},\"panelIndex\":\"29\",\"panelRefName\":\"panel_29\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"30\",\"w\":8,\"x\":16,\"y\":28},\"panelIndex\":\"30\",\"panelRefName\":\"panel_30\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"31\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"31\",\"panelRefName\":\"panel_31\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"34\",\"w\":24,\"x\":24,\"y\":116},\"panelIndex\":\"34\",\"panelRefName\":\"panel_34\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"35\",\"w\":24,\"x\":0,\"y\":116},\"panelIndex\":\"35\",\"panelRefName\":\"panel_35\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"38\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"38\",\"panelRefName\":\"panel_38\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"42\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"42\",\"panelRefName\":\"panel_42\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"44\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"44\",\"panelRefName\":\"panel_44\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"45\",\"w\":24,\"x\":0,\"y\":68},\"panelIndex\":\"45\",\"panelRefName\":\"panel_45\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"47\",\"w\":24,\"x\":24,\"y\":68},\"panelIndex\":\"47\",\"panelRefName\":\"panel_47\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"48\",\"w\":8,\"x\":16,\"y\":52},\"panelIndex\":\"48\",\"panelRefName\":\"panel_48\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"49\",\"w\":8,\"x\":40,\"y\":52},\"panelIndex\":\"49\",\"panelRefName\":\"panel_49\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"50\",\"w\":8,\"x\":40,\"y\":76},\"panelIndex\":\"50\",\"panelRefName\":\"panel_50\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"51\",\"w\":8,\"x\":40,\"y\":100},\"panelIndex\":\"51\",\"panelRefName\":\"panel_51\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"52\",\"w\":8,\"x\":16,\"y\":100},\"panelIndex\":\"52\",\"panelRefName\":\"panel_52\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"53\",\"w\":8,\"x\":16,\"y\":76},\"panelIndex\":\"53\",\"panelRefName\":\"panel_53\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Traffic Analysis", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-38012abe-c611-4124-8497-381fcd85acc8", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", + "name": "9:panel_9", + "type": "visualization" + }, + { + "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", + "name": "10:panel_10", + "type": "visualization" + }, + { + "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", + "name": "11:panel_11", + "type": "visualization" + }, + { + "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", + "name": "12:panel_12", + "type": "visualization" + }, + { + "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", + "name": "13:panel_13", + "type": "visualization" + }, + { + "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", + "name": "14:panel_14", + "type": "visualization" + }, + { + "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", + "name": "15:panel_15", + "type": "visualization" + }, + { + "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", + "name": "16:panel_16", + "type": "visualization" + }, + { + "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", + "name": "21:panel_21", + "type": "visualization" + }, + { + "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", + "name": "22:panel_22", + "type": "visualization" + }, + { + "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", + "name": "23:panel_23", + "type": "visualization" + }, + { + "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", + "name": "24:panel_24", + "type": "visualization" + }, + { + "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", + "name": "25:panel_25", + "type": "visualization" + }, + { + "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", + "name": "26:panel_26", + "type": "visualization" + }, + { + "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", + "name": "27:panel_27", + "type": "visualization" + }, + { + "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", + "name": "28:panel_28", + "type": "visualization" + }, + { + "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", + "name": "29:panel_29", + "type": "visualization" + }, + { + "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", + "name": "30:panel_30", + "type": "visualization" + }, + { + "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", + "name": "31:panel_31", + "type": "visualization" + }, + { + "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", + "name": "34:panel_34", + "type": "visualization" + }, + { + "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", + "name": "35:panel_35", + "type": "visualization" + }, + { + "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", + "name": "38:panel_38", + "type": "visualization" + }, + { + "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", + "name": "42:panel_42", + "type": "visualization" + }, + { + "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", + "name": "44:panel_44", + "type": "visualization" + }, + { + "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", + "name": "45:panel_45", + "type": "visualization" + }, + { + "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", + "name": "47:panel_47", + "type": "visualization" + }, + { + "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", + "name": "48:panel_48", + "type": "visualization" + }, + { + "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", + "name": "49:panel_49", + "type": "visualization" + }, + { + "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", + "name": "50:panel_50", + "type": "visualization" + }, + { + "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", + "name": "51:panel_51", + "type": "visualization" + }, + { + "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", + "name": "52:panel_52", + "type": "visualization" + }, + { + "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", + "name": "53:panel_53", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json new file mode 100755 index 0000000000..8e2e71878d --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Netflow geo location", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":{\"query\":\"netflow.log\"}}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"18\",\"w\":16,\"x\":0,\"y\":12},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"9afd9bfb-ab56-4bc3-a8c6-e412c1bc7f24\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"85982ce7-be78-44ec-a692-96c118b3a187\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Destination Geo Location Heatmap [Logs Netflow]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"6972252f-e3a3-4886-abfb-bea957bc1c73\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Destination Geo Location Heatmap [Logs Netflow]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"w\":32,\"x\":16,\"y\":4},\"panelIndex\":\"41aa0e4c-7e76-4715-bf20-c756e74ffe02\",\"type\":\"map\",\"version\":\"8.0.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Geo Location", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-77326664-23be-4bf1-a126-6d7e60cfc024", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", + "name": "17:panel_17", + "type": "visualization" + }, + { + "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", + "name": "18:panel_18", + "type": "visualization" + }, + { + "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", + "name": "19:panel_19", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "20:panel_20", + "type": "visualization" + }, + { + "id": "logs-*", + "name": "41aa0e4c-7e76-4715-bf20-c756e74ffe02:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json new file mode 100755 index 0000000000..8ffb5c9326 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "description": "Netflow flow records", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":36,\"x\":12,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"source.ip\",\"source.port\",\"destination.ip\",\"destination.port\",\"network.transport\",\"network.bytes\",\"network.packets\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Flow records", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-94972700-de4a-4272-9143-2fa8d4981365", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", + "name": "5:panel_5", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json new file mode 100755 index 0000000000..273f679d05 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32.json @@ -0,0 +1,52 @@ +{ + "attributes": { + "description": "Netflow conversation partners", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Conversation Partners", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-acd7a630-0c71-4840-bc9e-4a3801374a32", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "5:panel_5", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json new file mode 100755 index 0000000000..a900f7c546 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "Autonomous systems Netflow", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Autonomous Systems", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-c64665f9-d222-421e-90b0-c7310d944b8a", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", + "name": "7:panel_7", + "type": "visualization" + }, + { + "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", + "name": "8:panel_8", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json b/packages/netflow/2.2.5/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json new file mode 100755 index 0000000000..9496b56018 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425.json @@ -0,0 +1,67 @@ +{ + "attributes": { + "description": "Netflow exporters", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\",\"value\":\"netflow.log\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"netflow.log\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "optionsJSON": "{\"darkTheme\":false}", + "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":4},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", + "timeRestore": false, + "title": "[Logs Netflow] Flow Exporters", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425", + "migrationVersion": { + "dashboard": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", + "name": "6:panel_6", + "type": "visualization" + }, + { + "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", + "name": "8:panel_8", + "type": "visualization" + }, + { + "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", + "name": "10:panel_10", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json b/packages/netflow/2.2.5/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json new file mode 100755 index 0000000000..2c52255540 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/search/netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a.json @@ -0,0 +1,39 @@ +{ + "attributes": { + "columns": [ + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "network.transport", + "network.bytes", + "network.packets" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"netflow.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"netflow.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Flow Records [Logs Netflow]", + "version": 1 + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a34c6611-79d8-4b50-ae3f-8b328d28e24a", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json b/packages/netflow/2.2.5/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json new file mode 100755 index 0000000000..8bfe0f24fd --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLAN Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"VLANs\",\"field\":\"netflow.vlan_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"VLAN Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-0177bf1a-cba8-4ba6-a1d7-73caed86ffc2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json b/packages/netflow/2.2.5/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json new file mode 100755 index 0000000000..4edc81efd4 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Autonomous Systems [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Autonomous Systems [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-036aef95-ec90-468d-ad7c-3cc4405e9e81", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json b/packages/netflow/2.2.5/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json new file mode 100755 index 0000000000..4283ed8398 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-0528bc66-6981-400a-a02d-c1d221b38890.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-0528bc66-6981-400a-a02d-c1d221b38890", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json b/packages/netflow/2.2.5/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json new file mode 100755 index 0000000000..d3cd03e5fd --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-0b2818fd-aecc-4bef-b566-9466eb702ae4", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json b/packages/netflow/2.2.5/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json new file mode 100755 index 0000000000..50ca670a97 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-12aad647-c45d-4667-a029-152c1a97cbbc.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-12aad647-c45d-4667-a029-152c1a97cbbc", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json b/packages/netflow/2.2.5/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json new file mode 100755 index 0000000000..07d1ebeea9 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Ingress Interfaces (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Ingress Interface\",\"field\":\"netflow.ingress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Ingress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-14c7136d-b4aa-4367-9461-52bf8b5c4796", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json b/packages/netflow/2.2.5/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json new file mode 100755 index 0000000000..3f2413b575 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-15295ea6-ba84-47db-8ced-9312abbf495c.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Sources [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Sources [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-15295ea6-ba84-47db-8ced-9312abbf495c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json b/packages/netflow/2.2.5/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json new file mode 100755 index 0000000000..f8800be221 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-1558508d-591c-49be-bef4-85fdac18a960.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources and Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1558508d-591c-49be-bef4-85fdac18a960", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json b/packages/netflow/2.2.5/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json new file mode 100755 index 0000000000..185796e6a0 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-15e2a267-2495-4df2-a121-abe410d2f18c.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLANs (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-15e2a267-2495-4df2-a121-abe410d2f18c", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json b/packages/netflow/2.2.5/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json new file mode 100755 index 0000000000..2be98aa7d5 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-16262df9-a979-4136-935e-d883c7d373d7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "City Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Cities\",\"field\":\"destination.geo.city_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"City Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-16262df9-a979-4136-935e-d883c7d373d7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json b/packages/netflow/2.2.5/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json new file mode 100755 index 0000000000..5d2741d0ea --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Ingress Interfaces (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1cd36f5d-d9c7-4098-acdb-14d312ecfb72", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json b/packages/netflow/2.2.5/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json new file mode 100755 index 0000000000..8089613edd --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Types of Service (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type of Service\",\"field\":\"netflow.ip_class_of_service\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1cf30eac-aae8-47fa-a156-37f6346d2d5a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json b/packages/netflow/2.2.5/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json new file mode 100755 index 0000000000..36dd644fb6 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Cities (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-1e74d5cb-556d-42ee-8042-88f6c1af47f0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json b/packages/netflow/2.2.5/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json new file mode 100755 index 0000000000..6e319d2ee8 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-201d7dd1-a880-4a64-b631-db5629340db9.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Ports (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-201d7dd1-a880-4a64-b631-db5629340db9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json b/packages/netflow/2.2.5/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json new file mode 100755 index 0000000000..38d938c712 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries and Cities (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-2316bb53-d98a-4f0f-8cd8-51e9fb317823", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json b/packages/netflow/2.2.5/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json new file mode 100755 index 0000000000..0b978a1c6b --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-248e00b4-8fc2-406f-8907-729d5380aaa7.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-248e00b4-8fc2-406f-8907-729d5380aaa7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json b/packages/netflow/2.2.5/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json new file mode 100755 index 0000000000..18a1464367 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Protocols [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Protocols [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-2b3d4e86-2254-4033-8fe3-ce4753fafd03", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json b/packages/netflow/2.2.5/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json new file mode 100755 index 0000000000..f735f227fc --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-2dca3025-692c-4876-8bcc-e0b248dc9819.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"TCP Flag States\",\"field\":\"netflow.tcp_control_bits\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"TCP Flags Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-2dca3025-692c-4876-8bcc-e0b248dc9819", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json b/packages/netflow/2.2.5/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json new file mode 100755 index 0000000000..bbff9003ca --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-30cd1009-2925-4c9b-820d-d689f5d1efda.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous Systems (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-30cd1009-2925-4c9b-820d-d689f5d1efda", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json b/packages/netflow/2.2.5/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json new file mode 100755 index 0000000000..4ab3ca80e4 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-31708a70-4957-4a8a-8065-5c88a344ad02.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Exporters (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-31708a70-4957-4a8a-8065-5c88a344ad02", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json b/packages/netflow/2.2.5/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json new file mode 100755 index 0000000000..08d9c2dafa --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Destination Ports [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destination Ports [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-31b5f6fd-eb9d-4e97-90fd-367062ef217f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json b/packages/netflow/2.2.5/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json new file mode 100755 index 0000000000..b34bb34cac --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-32e712ed-fa15-4db7-8575-8476e8d65b03.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-32e712ed-fa15-4db7-8575-8476e8d65b03", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json b/packages/netflow/2.2.5/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json new file mode 100755 index 0000000000..ca56e99437 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Ports (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-3a4209e2-281c-467e-b5cb-315bf4a2661f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json b/packages/netflow/2.2.5/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json new file mode 100755 index 0000000000..59778d4915 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Version (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Version (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-3dec20c0-0d4f-43ef-8864-3779e1a1b33f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json b/packages/netflow/2.2.5/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json new file mode 100755 index 0000000000..b12c7d2621 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-3e27fb83-b3e3-4c15-b999-ed6da49b7a86", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json b/packages/netflow/2.2.5/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json new file mode 100755 index 0000000000..2a58338da7 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-441c6c50-fa1a-489c-96c6-76f7925dea24.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Exporters (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Flow Exporters (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-441c6c50-fa1a-489c-96c6-76f7925dea24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json b/packages/netflow/2.2.5/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json new file mode 100755 index 0000000000..de5cb96164 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Egress Interfaces (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Egress Interface\",\"field\":\"netflow.egress_interface\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Egress Interfaces (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-4ac97841-c89f-4d50-b3c6-6253f7e1dd1a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json b/packages/netflow/2.2.5/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json new file mode 100755 index 0000000000..42c5ea60ea --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Records [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timeline\",\"extended_bounds\":{},\"field\":\"event.end\",\"interval\":\"s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Version\",\"field\":\"netflow.exporter.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Flow Records\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"histogram\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-4bb0255e-18ed-45e4-bfb9-de8e35b12094", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json b/packages/netflow/2.2.5/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json new file mode 100755 index 0000000000..def8920024 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-5292a65b-c532-422a-9008-1251a8073a3a.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Cities [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":true,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Cities [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5292a65b-c532-422a-9008-1251a8073a3a", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json b/packages/netflow/2.2.5/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json new file mode 100755 index 0000000000..9de72f30b5 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Destinations [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Destinations [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5303e99b-389c-47b7-ae7a-945c5a92ba49", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json b/packages/netflow/2.2.5/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json new file mode 100755 index 0000000000..7e811e1ea3 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-57e13a20-e94f-4465-a942-42148634a1d2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TCP Flags\",\"field\":\"netflow.tcp_control_bits\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":255},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-57e13a20-e94f-4465-a942-42148634a1d2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json b/packages/netflow/2.2.5/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json new file mode 100755 index 0000000000..1cb0ac07fd --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries and Cities (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries and Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5ccac452-e90a-4dde-ae9b-1be36ce3f761", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json b/packages/netflow/2.2.5/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json new file mode 100755 index 0000000000..552f9ceaf6 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5cfb2c9a-4815-4a25-9d7e-ab0ef55ffe63", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json b/packages/netflow/2.2.5/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json new file mode 100755 index 0000000000..1a237de283 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-5d868836-c7b2-4812-bf47-4838aac281d9.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-5d868836-c7b2-4812-bf47-4838aac281d9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json b/packages/netflow/2.2.5/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json new file mode 100755 index 0000000000..6c3e1b32bd --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Country Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Countries\",\"field\":\"destination.geo.country_name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Country Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-63ef5338-fdf2-488e-b78a-f0e98daccc95", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json b/packages/netflow/2.2.5/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json new file mode 100755 index 0000000000..c4b788481c --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations and Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-67fdca65-a9df-47f0-a8a4-1e8b056325de", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json b/packages/netflow/2.2.5/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json new file mode 100755 index 0000000000..e185a6934d --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-681f0ce4-d828-4a99-b643-0c0715530050.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-681f0ce4-d828-4a99-b643-0c0715530050", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json b/packages/netflow/2.2.5/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json new file mode 100755 index 0000000000..f420f9b844 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-6bbd6712-494a-4fd9-b3d3-757304681f0f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json b/packages/netflow/2.2.5/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json new file mode 100755 index 0000000000..da2f83b090 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-717cd7c7-bfca-435d-8ee7-38259927aade.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Types of Service (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-717cd7c7-bfca-435d-8ee7-38259927aade", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json b/packages/netflow/2.2.5/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json new file mode 100755 index 0000000000..c9b9434535 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-751ecb6f-11c3-458d-b039-f6d57a6379fa", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json b/packages/netflow/2.2.5/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json new file mode 100755 index 0000000000..5170f89858 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-7d447b22-89dc-4f32-b549-4b8620af4d76.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Cities (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.city_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.city_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Cities (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-7d447b22-89dc-4f32-b549-4b8620af4d76", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json b/packages/netflow/2.2.5/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json new file mode 100755 index 0000000000..e10072db9a --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLANs (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"VLAN\",\"field\":\"netflow.vlan_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-7fa6cb0a-518d-46e9-a228-15cd4253a957", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json b/packages/netflow/2.2.5/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json new file mode 100755 index 0000000000..4d61c728ef --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-85ebf558-402b-45d2-a186-e15f8673ec07.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Egress Interfaces (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-85ebf558-402b-45d2-a186-e15f8673ec07", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json b/packages/netflow/2.2.5/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json new file mode 100755 index 0000000000..d3bba7450d --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "TCP Flags (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.tcp_control_bits:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.tcp_control_bits:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"TCP Flags (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-8f83cf97-4a48-421f-8db5-690297d1f4fb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json b/packages/netflow/2.2.5/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json new file mode 100755 index 0000000000..305b1cbe98 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-a14c3248-952d-42aa-bd7d-9b39157a776f.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country\",\"field\":\"destination.geo.country_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Countries (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a14c3248-952d-42aa-bd7d-9b39157a776f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json b/packages/netflow/2.2.5/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json new file mode 100755 index 0000000000..9fd050b6f2 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-a1704d46-15fc-41c2-851d-796ceb49877f.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Types of Service (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.ip_class_of_service:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ip_class_of_service:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Types of Service (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a1704d46-15fc-41c2-851d-796ceb49877f", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json b/packages/netflow/2.2.5/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json new file mode 100755 index 0000000000..fff9d9fbb7 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "VLANs (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.vlan_id:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.vlan_id:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"VLANs (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a5efa3dd-f53a-4d14-9d3f-ee73345fd93d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json b/packages/netflow/2.2.5/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json new file mode 100755 index 0000000000..d5430f2886 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Cities (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"City\",\"field\":\"destination.geo.city_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Cities (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-a685420e-c45f-4b62-932b-5b76ac8b8ca2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json b/packages/netflow/2.2.5/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json new file mode 100755 index 0000000000..e67336cb81 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-abfa0b19-60cd-4984-9c3d-02ebf0aa1dfb", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json b/packages/netflow/2.2.5/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json new file mode 100755 index 0000000000..11c13cd5af --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-ae334aec-31fa-4df7-a064-40b18831d819.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "IP Version and Protocols (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Version\",\"field\":\"network.type\",\"missingBucket\":true,\"missingBucketLabel\":\"unset ip version\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"sum\",\"format\":{\"id\":\"bytes\"},\"params\":{}}},\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"IP Version and Protocols (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-ae334aec-31fa-4df7-a064-40b18831d819", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json b/packages/netflow/2.2.5/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json new file mode 100755 index 0000000000..0cb598214c --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-aed09724-0a69-4331-84f5-3d2067c43930.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations and Sources (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-aed09724-0a69-4331-84f5-3d2067c43930", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json b/packages/netflow/2.2.5/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json new file mode 100755 index 0000000000..4687a20531 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-af707b01-29f1-462b-b279-6d2e803f3645.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Port Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Destination Port Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-af707b01-29f1-462b-b279-6d2e803f3645", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json b/packages/netflow/2.2.5/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json new file mode 100755 index 0000000000..b966d64753 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Locality (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Locality\",\"field\":\"flow.locality\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Locality (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-b02c2713-17f0-41dd-88a3-ce33b446f19d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json b/packages/netflow/2.2.5/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json new file mode 100755 index 0000000000..1eceb9a616 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-b677cd82-b33e-49b3-8b6e-0e110177b163.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Direction (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Direction\",\"field\":\"network.direction\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Direction (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-b677cd82-b33e-49b3-8b6e-0e110177b163", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json b/packages/netflow/2.2.5/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json new file mode 100755 index 0000000000..a0b7c0c1c2 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Flow Records [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Flow Records [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-c27c6a3b-93ee-44d5-8d0c-9b097e575f52", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json b/packages/netflow/2.2.5/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json new file mode 100755 index 0000000000..878b1708d1 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination and Source Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-c54f5529-e6d7-4c26-8e8e-3b35de132035", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json b/packages/netflow/2.2.5/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json new file mode 100755 index 0000000000..2a6ad569d2 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-cccff92f-cb71-49a9-9caf-84867751d31e.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Flow Exporters [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Flow Exporter\",\"field\":\"agent.name\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Flow Exporters [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-cccff92f-cb71-49a9-9caf-84867751d31e", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json b/packages/netflow/2.2.5/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json new file mode 100755 index 0000000000..743e1dfb17 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination Ports (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-cf399a85-e348-4ac1-a399-e8f5a44114c4", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json b/packages/netflow/2.2.5/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json new file mode 100755 index 0000000000..979ae6b817 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Autonomous Systems (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destination Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d27b5d74-b3b4-4311-a0e6-08ff8f4345df", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json b/packages/netflow/2.2.5/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json new file mode 100755 index 0000000000..c6f2374192 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Ingress Interfaces (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"netflow.ingress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.ingress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Ingress Interfaces (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d3df8d28-65f8-4ea1-8b33-f479380a0600", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json b/packages/netflow/2.2.5/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json new file mode 100755 index 0000000000..79287a5688 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Countries (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.geo.country_name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.geo.country_name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Countries (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d41a9663-e5ad-47a7-955e-3803ae4e23c0", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json b/packages/netflow/2.2.5/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json new file mode 100755 index 0000000000..80858ba78a --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Dashboard Navigation [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Overview](#/dashboard/netflow-34e26884-161a-4448-9556-43b5bf2f62a2) | [Conversation Partners](#/dashboard/netflow-acd7a630-0c71-4840-bc9e-4a3801374a32) | [Traffic Analysis](#/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8) | [Top-N](#/dashboard/netflow-14387a13-53bc-43a4-b9cd-63977aa8d87c) | [Geo Location](#/dashboard/netflow-77326664-23be-4bf1-a126-6d7e60cfc024) | [Autonomous Systems](#/dashboard/netflow-c64665f9-d222-421e-90b0-c7310d944b8a) | [Flow Exporters](#/dashboard/netflow-feebb4e6-b13e-4e4e-b9fc-d3a178276425) | [Raw Flow Records](#/dashboard/netflow-94972700-de4a-4272-9143-2fa8d4981365)\\n***\"},\"title\":\"Dashboard Navigation [Logs Netflow]\",\"type\":\"markdown\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d4e6520a-9ced-47c9-a8f2-7246e8cbd2d3", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json b/packages/netflow/2.2.5/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json new file mode 100755 index 0000000000..31ce08b895 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous System Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Autonomous Systems\",\"field\":\"destination.as.organization.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Autonomous System Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d5568704-e30b-4108-bb49-06a9b8dce6a6", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json b/packages/netflow/2.2.5/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json new file mode 100755 index 0000000000..2966189f54 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-d59a031c-70d6-47d7-966d-7fcb805be9be.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"destination.ip:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* destination.ip:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Destinations (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-d59a031c-70d6-47d7-966d-7fcb805be9be", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json b/packages/netflow/2.2.5/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json new file mode 100755 index 0000000000..e443df12d7 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Port Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Ports\",\"field\":\"source.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Source Port Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-ddd27657-c3c8-4f82-8059-6d7763dd599b", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json b/packages/netflow/2.2.5/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json new file mode 100755 index 0000000000..d2c4ad8355 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destinations and Sources (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destinations and Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-e822f94c-5f65-4963-a540-74ca9c25bd2d", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json b/packages/netflow/2.2.5/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json new file mode 100755 index 0000000000..497a4ccbfb --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-e99dc327-03de-4561-9e0c-f550710125c2.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination Count [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"fontSize\":\"32\",\"handleNoResults\":true},\"title\":\"Destination Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-e99dc327-03de-4561-9e0c-f550710125c2", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json b/packages/netflow/2.2.5/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json new file mode 100755 index 0000000000..60c450cad9 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Top Source Ports [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":500},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top Source Ports [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-e9ad835b-b2f2-42d3-a3e7-555a593deacf", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json b/packages/netflow/2.2.5/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json new file mode 100755 index 0000000000..510bd9c74c --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Conversation Partners [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Packets\",\"field\":\"network.packets\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"title\":\"Conversation Partners [Logs Netflow]\",\"type\":\"table\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-ebea013f-9b5b-4f61-a9c8-c62bebf62ae9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json new file mode 100755 index 0000000000..75c6397b07 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f27c1479-0625-4cdc-92de-672e47db0f87.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "ToS Count [Logs Netflow]", + "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Types of Service\",\"field\":\"netflow.ip_class_of_service\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"32\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"36\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"ToS Count [Logs Netflow]\",\"type\":\"metric\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f27c1479-0625-4cdc-92de-672e47db0f87", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json new file mode 100755 index 0000000000..dcd2f36948 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f531f957-e8c0-497a-ad41-ef39c2d29671.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination and Source Ports (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Port\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Port\",\"field\":\"source.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source Ports (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f531f957-e8c0-497a-ad41-ef39c2d29671", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json new file mode 100755 index 0000000000..19567eb0c0 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Ports (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.bytes\\\", split=\\\"source.port:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.port:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"bytes / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Ports (bytes) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f668ecdb-eec7-44c6-9060-26aaf9fc8404", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json new file mode 100755 index 0000000000..8ba248d484 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Source Autonomous Systems (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"source.as.organization.name:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* source.as.organization.name:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Source Autonomous Systems (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f75063c7-48b7-4de4-b8cb-d07eb2cea0e9", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json new file mode 100755 index 0000000000..f92dadbfe2 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f772028b-d5a6-4d55-b441-493871981a60.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Autonomous Systems (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Autonomous System\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Autonomous Systems (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f772028b-d5a6-4d55-b441-493871981a60", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json new file mode 100755 index 0000000000..55a143a303 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f7808e70-df2a-4532-a350-966704567c24.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Destination and Source ASs (flow records) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Flow Records\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination AS\",\"field\":\"destination.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source AS\",\"field\":\"source.as.organization.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Destination and Source ASs (flow records) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f7808e70-df2a-4532-a350-966704567c24", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json b/packages/netflow/2.2.5/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json new file mode 100755 index 0000000000..d810abfa5a --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7.json @@ -0,0 +1,19 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Egress Interfaces (packets) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"expression\":\".es(index=\\\"logs-*\\\", metric=\\\"sum:network.packets\\\", split=\\\"netflow.egress_interface:10\\\", kibana=true).scale_interval(1s).fit(mode=scale).if(operator=\\\"lt\\\", if=0, then=0).trim(start=2,end=1).label(regex=\\\"^.* netflow.egress_interface:(.+) \\u003e .*$\\\", label=\\\"$1\\\").lines(width=1, stack=true, fill=1).yaxis(label=\\\"packets / sec\\\", min=0)\",\"interval\":\"auto\"},\"title\":\"Egress Interfaces (packets) [Logs Netflow]\",\"type\":\"timelion\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-f86a7769-8ef6-408d-bbe3-985d0ea0a3f7", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json b/packages/netflow/2.2.5/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json new file mode 100755 index 0000000000..8e5d47ad63 --- /dev/null +++ b/packages/netflow/2.2.5/kibana/visualization/netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Sources (bytes) [Logs Netflow]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":50},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Sources (bytes) [Logs Netflow]\",\"type\":\"pie\"}" + }, + "coreMigrationVersion": "8.0.0", + "id": "netflow-fd6c1144-5026-4795-b7af-a9aa3fc28c56", + "migrationVersion": { + "visualization": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/netflow/2.2.5/manifest.yml b/packages/netflow/2.2.5/manifest.yml new file mode 100755 index 0000000000..a466849f98 --- /dev/null +++ b/packages/netflow/2.2.5/manifest.yml @@ -0,0 +1,23 @@ +format_version: 1.0.0 +name: netflow +title: NetFlow Records +version: "2.2.5" +license: basic +description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. +type: integration +categories: + - network + - security +release: ga +conditions: + kibana.version: ^8.0.0 +policy_templates: + - name: netflow + title: NetFlow logs + description: Collect Netflow logs from networks via UDP + inputs: + - type: netflow + title: Collect NetFlow logs + description: Collecting NetFlow logs using the netflow input +owner: + github: elastic/security-external-integrations diff --git a/packages/okta/1.10.3/LICENSE.txt b/packages/okta/1.10.3/LICENSE.txt new file mode 100755 index 0000000000..809108b857 --- /dev/null +++ b/packages/okta/1.10.3/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/okta/1.10.3/changelog.yml b/packages/okta/1.10.3/changelog.yml new file mode 100755 index 0000000000..206b61e907 --- /dev/null +++ b/packages/okta/1.10.3/changelog.yml @@ -0,0 +1,195 @@ +# newer versions go on top +- version: "1.10.3" + changes: + - description: Mark url config option as a required field + type: bugfix + link: https://github.com/elastic/integrations/pull/4424 +- version: "1.10.2" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.10.1" + changes: + - description: Mark api_key config option as a required field + type: bugfix + link: https://github.com/elastic/integrations/pull/4127 +- version: "1.10.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3868 +- version: "1.9.2" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "1.9.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "1.9.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.8.0" + changes: + - description: Add `okta.debug_context.debug_data.risk_level` field + type: enhancement + link: https://github.com/elastic/integrations/pull/3362 + - description: Add flattened `okta.debug_context.debug_data.flattened.log_only_security_data.*` fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3362 + - description: Fix mapping type for `client.as.number` + type: bugfix + link: https://github.com/elastic/integrations/pull/3362 +- version: "1.7.0" + changes: + - description: Add flattened `okta.request.ip_chain.*` fields + type: enhancement + link: https://github.com/elastic/integrations/pull/3326 +- version: "1.6.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2780 +- version: "1.5.2" + changes: + - description: Handle invalid values in client.ipAddress + type: bugfix + link: https://github.com/elastic/integrations/pull/3010 +- version: "1.5.1" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.5.0" + changes: + - description: Increase the limit for the number of results in an API response. + type: enhancement + link: https://github.com/elastic/integrations/pull/2791 +- version: "1.4.1" + changes: + - description: Add missing field mapping for event.created. + type: enhancement + link: https://github.com/elastic/integrations/pull/2774 +- version: "1.4.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2428 +- version: "1.3.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.3.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.3.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2264 +- version: "1.2.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2095 +- version: "1.2.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1977 +- version: "1.2.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1838 +- version: "1.2.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1638 +- version: "1.1.3" + changes: + - description: Add proxy config + type: enhancement + link: https://github.com/elastic/integrations/pull/1648 +- version: "1.1.2" + changes: + - description: Convert to generated ECS fields + type: enhancement + link: https://github.com/elastic/integrations/pull/1494 +- version: "1.1.1" + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1403 +- version: "1.1.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "1.0.1" + changes: + - description: add missing `initial_interval` option to the manifest + type: bugfix + link: https://github.com/elastic/integrations/pull/1299 +- version: "1.0.0" + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1222 + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1222 +- version: "0.6.0" + changes: + - description: Update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1067 +- version: "0.5.2" + changes: + - description: Add httpjson system tests and remove log input. + type: enhancement + link: https://github.com/elastic/integrations/pull/1034 +- version: "0.5.1" + changes: + - description: Make event.original optional + type: enhancement + link: https://github.com/elastic/integrations/pull/1009 +- version: "0.5.0" + changes: + - description: change okta.target to flattened type + type: enhancement + link: https://github.com/elastic/integrations/pull/899 +- version: "0.4.2" + changes: + - description: add fail_on_template_error on pagination + type: bugfix + link: https://github.com/elastic/integrations/pull/901 +- version: "0.4.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/861 +- version: "0.4.0" + changes: + - description: Moves edge processing to ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/759/ +- version: "0.3.1" + changes: + - description: Change kibana.version constraint to be more conservative. + type: bugfix + link: https://github.com/elastic/integrations/pull/749 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/232 diff --git a/packages/okta/1.10.3/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/1.10.3/data_stream/system/agent/stream/httpjson.yml.hbs new file mode 100755 index 0000000000..3fa890e4af --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/agent/stream/httpjson.yml.hbs @@ -0,0 +1,53 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +request.url: {{url}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.rate_limit: + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[.last_response.header.Get "X-Rate-Limit-Reset"]]' +request.transforms: + - set: + target: header.Authorization + value: "SSWS {{api_key}}" + - set: + target: url.params.limit + value: '1000' + - set: + target: url.params.since + value: "[[.cursor.published]]" + default: '[[formatDate (now (parseDuration "-{{initial_interval}}")) "RFC3339"]]' +response.pagination: + - set: + target: url.value + value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' + fail_on_template_error: true + +cursor: + published: + value: "[[.last_event.published]]" + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/okta/1.10.3/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/1.10.3/data_stream/system/elasticsearch/ingest_pipeline/default.yml new file mode 100755 index 0000000000..0d7fa155cd --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,628 @@ +--- +description: Pipeline for Okta system logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - rename: + field: message + target_field: event.original + - json: + field: event.original + target_field: json + - script: + description: Drops null/empty values recursively + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - convert: + field: json.uuid + target_field: _id + type: string + ignore_failure: true + if: ctx?.json?.uuid != null && ctx?.json?.uuid != "" + - date: + field: json.published + formats: + - ISO8601 + ignore_failure: true + - set: + field: event.kind + value: event + - rename: + field: json.displayMessage + target_field: okta.display_message + ignore_missing: true + ignore_failure: true + - rename: + field: json.eventType + target_field: okta.event_type + ignore_missing: true + ignore_failure: true + - append: + field: event.category + value: iam + if: | + ["group.user_membership.add","group.user_membership.remove", + "user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: configuration + if: | + ["policy.lifecycle.activate","policy.lifecycle.create", + "policy.lifecycle.deactivate","policy.lifecycle.delete", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.delete", + "application.lifecycle.create","application.lifecycle.delete", + "policy.rule.update","application.lifecycle.activate", + "application.lifecycle.deactivate","application.lifecycle.update"].contains(ctx?.okta?.event_type) + - append: + field: event.category + value: authentication + if: '["user.session.start","user.session.end","user.authentication.sso","policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - append: + field: event.category + value: session + if: '["user.session.start","user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: network + if: '["security.request.blocked"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: network + if: | + ["system.org.rate_limit.warning","system.org.rate_limit.violation", + "core.concurrency.org.limit.violation","security.request.blocked"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: start + if: '["user.session.start"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: end + if: '["user.session.end"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: group + if: '["group.user_membership.add","group.user_membership.remove"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: user + if: | + ["user.lifecycle.activate","user.lifecycle.create", + "user.lifecycle.deactivate","user.lifecycle.suspend", + "user.lifecycle.unsuspend","user.authentication.sso", + "user.session.start","user.session.end","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: change + if: | + ["user.lifecycle.activate","user.lifecycle.deactivate", + "user.lifecycle.suspend","user.lifecycle.unsuspend", + "group.user_membership.add","group.user_membership.remove", + "policy.lifecycle.activate","policy.lifecycle.deactivate", + "policy.lifecycle.update","policy.rule.activate","policy.rule.add", + "policy.rule.deactivate","policy.rule.update","application.user_membership.add", + "application.user_membership.remove","application.user_membership.change_username"].contains(ctx?.okta?.event_type) + - append: + field: event.type + value: creation + if: '["user.lifecycle.create","policy.lifecycle.create","application.lifecycle.create"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: deletion + if: '["policy.lifecycle.delete","application.lifecycle.delete"].contains(ctx?.okta?.event_type)' + - append: + field: event.type + value: info + if: '["policy.evaluate_sign_on"].contains(ctx?.okta?.event_type)' + - rename: + field: json.uuid + target_field: okta.uuid + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.alternateId + target_field: okta.actor.alternate_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.displayName + target_field: okta.actor.display_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.id + target_field: okta.actor.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.actor.type + target_field: okta.actor.type + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.device + target_field: okta.client.device + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.geolocation + target_field: client.geo.location + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.city + target_field: client.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.state + target_field: client.geo.region_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.geographicalContext.country + target_field: client.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.id + target_field: okta.client.id + ignore_missing: true + ignore_failure: true + - convert: + field: json.client.ipAddress + target_field: okta.client.ip + type: ip + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.browser + target_field: okta.client.user_agent.browser + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.os + target_field: okta.client.user_agent.os + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.userAgent.rawUserAgent + target_field: okta.client.user_agent.raw_user_agent + ignore_missing: true + ignore_failure: true + - rename: + field: json.client.zone + target_field: okta.client.zone + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.reason + target_field: okta.outcome.reason + ignore_missing: true + ignore_failure: true + - rename: + field: json.outcome.result + target_field: okta.outcome.result + ignore_missing: true + ignore_failure: true + - rename: + field: json.target + target_field: okta.target + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.id + target_field: okta.transaction.id + ignore_missing: true + ignore_failure: true + - rename: + field: json.transaction.type + target_field: okta.transaction.type + ignore_missing: true + ignore_failure: true + - set: + field: okta.debug_context.debug_data.flattened + copy_from: json.debugContext.debugData + ignore_failure: true + - json: + field: okta.debug_context.debug_data.flattened.logOnlySecurityData + ignore_failure: true + - dissect: + field: okta.debug_context.debug_data.flattened.behaviors + pattern: "{%{okta.debug_context.debug_data.flattened.behaviors}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.flattened.behaviors + field_split: ", " + value_split: "=" + target_field: _behaviors_object + if: ctx.okta?.debug_context?.debug_data?.flattened?.behaviors != null + - remove: + field: okta.debug_context.debug_data.flattened.behaviors + if: ctx._behaviors_object != null + - rename: + field: _behaviors_object + target_field: okta.debug_context.debug_data.flattened.behaviors + ignore_missing: true + ignore_failure: true + - dissect: + field: okta.debug_context.debug_data.flattened.risk + pattern: "{%{okta.debug_context.debug_data.flattened.risk}}" + ignore_missing: true + ignore_failure: true + - kv: + field: okta.debug_context.debug_data.flattened.risk + field_split: ", " + value_split: "=" + target_field: _risk_object + if: ctx.okta?.debug_context?.debug_data?.flattened?.risk != null + - remove: + field: okta.debug_context.debug_data.flattened.risk + if: ctx._risk_object != null + - rename: + field: _risk_object + target_field: okta.debug_context.debug_data.flattened.risk + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.deviceFingerprint + target_field: okta.debug_context.debug_data.device_fingerprint + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestId + target_field: okta.debug_context.debug_data.request_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.requestUri + target_field: okta.debug_context.debug_data.request_uri + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.threatSuspected + target_field: okta.debug_context.debug_data.threat_suspected + ignore_missing: true + ignore_failure: true + - rename: + field: json.debugContext.debugData.url + target_field: okta.debug_context.debug_data.url + ignore_missing: true + ignore_failure: true + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.flattened.logOnlySecurityData.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != null && ctx.okta?.debug_context?.debug_data?.flattened?.logOnlySecurityData?.risk?.level != ""' + - set: + field: okta.debug_context.debug_data.risk_level + value: "{{{okta.debug_context.debug_data.flattened.risk.level}}}" + if: 'ctx.okta?.debug_context?.debug_data?.risk_level == null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != null && ctx.okta?.debug_context?.debug_data?.flattened?.risk != ""' + - rename: + field: json.authenticationContext.authenticationProvider + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.authenticationStep + target_field: okta.authentication_context.authentication_step + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialProvider + target_field: okta.authentication_context.credential_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.credentialType + target_field: okta.authentication_context.credential_type + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.externalSessionId + target_field: okta.authentication_context.external_session_id + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.interface + target_field: okta.authentication_context.authentication_provider + ignore_missing: true + ignore_failure: true + - rename: + field: json.authenticationContext.issuer + target_field: okta.authentication_context.issuer + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asNumber + target_field: okta.security_context.as.number + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.asOrg + target_field: okta.security_context.as.organization.name + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.domain + target_field: okta.security_context.domain + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isProxy + target_field: okta.security_context.is_proxy + ignore_missing: true + ignore_failure: true + - rename: + field: json.securityContext.isp + target_field: okta.security_context.isp + ignore_missing: true + ignore_failure: true + - rename: + field: json.request.ipChain + target_field: okta.request.ip_chain + ignore_missing: true + ignore_failure: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographicalContext + target_field: _ingest._value.geographical_context + ignore_missing: true + ignore_failure: true + ignore_missing: true + - foreach: + field: okta.request.ip_chain + processor: + rename: + field: _ingest._value.geographical_context.postalCode + target_field: _ingest._value.geographical_context.postal_code + ignore_missing: true + ignore_failure: true + ignore_missing: true + - convert: + field: okta.client.user_agent.raw_user_agent + target_field: user_agent.original + type: string + ignore_failure: true + - set: + field: client.ip + copy_from: okta.client.ip + if: ctx?.okta?.client?.ip != null + - set: + field: source.ip + copy_from: okta.client.ip + if: ctx?.okta?.client?.ip != null + - convert: + field: okta.event_type + target_field: event.action + type: string + ignore_failure: true + - convert: + field: okta.security_context.as.organization.name + target_field: client.as.organization.name + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: client.domain + type: string + ignore_failure: true + - convert: + field: okta.security_context.domain + target_field: source.domain + type: string + ignore_failure: true + - convert: + field: okta.uuid + target_field: event.id + type: string + ignore_failure: true + - lowercase: + field: okta.outcome.result + target_field: okta.outcome.result_lower + ignore_missing: true + - set: + field: event.outcome + value: success + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "success" || ctx?.okta?.outcome?.result_lower == "allow") + - set: + field: event.outcome + value: failure + if: ctx?.okta?.outcome?.result_lower != null && (ctx?.okta?.outcome?.result_lower == "failure" || ctx?.okta?.outcome?.result_lower == "deny") + - set: + field: event.outcome + value: unknown + if: ctx?.event?.outcome == null + - remove: + field: okta.outcome.result_lower + ignore_missing: true + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + arr[i]["alternate_id"] = arr[i]["alternateId"]; + arr[i].remove("alternateId"); + arr[i]["display_name"] = arr[i]["displayName"]; + arr[i].remove("displayName"); + arr[i].remove("detailEntry"); + } + } + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("user")) { + ctx["okta_target_user"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("user.") + - script: + lang: painless + source: | + def arr = ctx?.okta?.target; + if (arr != null) { + for (def i = 0; i < arr.length; i++) { + if (arr[i]["type"].toLowerCase().contains("group")) { + ctx["okta_target_group"] = arr[i]; + break; + } + } + } + if: ctx?.okta?.event_type != null && ctx?.okta?.event_type.contains("group.") + - rename: + field: okta_target_user.display_name + target_field: user.target.full_name + ignore_missing: true + - rename: + field: okta_target_user.id + target_field: user.target.id + ignore_missing: true + - rename: + field: okta_target_user.login + target_field: user.target.email + ignore_missing: true + - rename: + field: okta_target_group.display_name + target_field: user.target.group.name + ignore_missing: true + - rename: + field: okta_target_group.id + target_field: user.target.group.id + ignore_missing: true + - remove: + field: + - okta_target_user + - okta_target_group + ignore_missing: true + - set: + field: client.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: source.user.id + value: "{{okta.actor.id}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.id != null + - set: + field: client.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: source.user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - set: + field: user.full_name + value: "{{okta.actor.display_name}}" + ignore_empty_value: true + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{okta.actor.display_name}}" + allow_duplicates: false + if: ctx?.okta?.actor?.display_name != null + - append: + field: related.user + value: "{{user.target.full_name}}" + allow_duplicates: false + if: ctx?.user?.target?.full_name != null + - append: + field: related.ip + value: "{{source.ip}}" + allow_duplicates: false + if: ctx?.source?.ip != null + - append: + field: related.ip + value: "{{destination.ip}}" + allow_duplicates: false + if: ctx?.destination?.ip != null + - remove: + field: json + ignore_missing: true + - user_agent: + field: user_agent.original + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/okta/1.10.3/data_stream/system/fields/agent.yml b/packages/okta/1.10.3/data_stream/system/fields/agent.yml new file mode 100755 index 0000000000..da4e652c53 --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/okta/1.10.3/data_stream/system/fields/base-fields.yml b/packages/okta/1.10.3/data_stream/system/fields/base-fields.yml new file mode 100755 index 0000000000..915728ae0c --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: okta +- name: event.dataset + type: constant_keyword + description: Event dataset + value: okta.system +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/okta/1.10.3/data_stream/system/fields/beats.yml b/packages/okta/1.10.3/data_stream/system/fields/beats.yml new file mode 100755 index 0000000000..cb44bb2944 --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/okta/1.10.3/data_stream/system/fields/ecs.yml b/packages/okta/1.10.3/data_stream/system/fields/ecs.yml new file mode 100755 index 0000000000..d527f2389d --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/fields/ecs.yml @@ -0,0 +1,307 @@ +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: client.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: client.as.organization.name + type: keyword +- description: |- + The domain name of the client system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: client.domain + type: keyword +- description: City name. + name: client.geo.city_name + type: keyword +- description: Country name. + name: client.geo.country_name + type: keyword +- description: Longitude and latitude. + name: client.geo.location + type: geo_point +- description: Region name. + name: client.geo.region_name + type: keyword +- description: IP address of the client (IPv4 or IPv6). + name: client.ip + type: ip +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: client.user.full_name + type: keyword +- description: Unique identifier of the user. + name: client.user.id + type: keyword +- description: Unique container id. + name: container.id + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: destination.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: destination.as.organization.name + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination (IPv4 or IPv6). + name: destination.ip + type: ip +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error message. + name: error.message + type: match_only_text +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + normalize: + - array + type: keyword +- description: |- + event.created contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, @timestamp should be used. + name: event.created + type: date +- description: Unique ID to describe the event. + name: event.id + type: keyword +- description: |- + Timestamp when an event arrived in the central data store. + This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. + In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. + name: event.ingested + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + normalize: + - array + type: keyword +- description: |- + For log events the message field contains the log message, optimized for viewing in a log viewer. + For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. + If multiple messages exist, they can be combined into one message. + name: message + type: match_only_text +- description: All of the IPs seen on your event. + name: related.ip + normalize: + - array + type: ip +- description: All the user names or other user identifiers seen on the event. + name: related.user + normalize: + - array + type: keyword +- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + name: source.as.number + type: long +- description: Organization name. + multi_fields: + - name: text + type: match_only_text + name: source.as.organization.name + type: keyword +- description: |- + The domain name of the source system. + This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. + name: source.domain + type: keyword +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: |- + User-defined description of a location, at the level of granularity they care about. + Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. + Not typically used in automated geolocation. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source (IPv4 or IPv6). + name: source.ip + type: ip +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: source.user.full_name + type: keyword +- description: Unique identifier of the user. + name: source.user.id + type: keyword +- description: List of keywords used to tag each event. + name: tags + normalize: + - array + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.domain + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.full_name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- description: |- + Name of the directory the user is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.domain + type: keyword +- description: User email address. + name: user.target.email + type: keyword +- description: User's full name, if available. + multi_fields: + - name: text + type: match_only_text + name: user.target.full_name + type: keyword +- description: |- + Name of the directory the group is a member of. + For example, an LDAP or Active Directory domain name. + name: user.target.group.domain + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.target.group.id + type: keyword +- description: Name of the group. + name: user.target.group.name + type: keyword +- description: Unique identifier of the user. + name: user.target.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.target.name + type: keyword +- description: Name of the device. + name: user_agent.device.name + type: keyword +- description: Name of the user agent. + name: user_agent.name + type: keyword +- description: Unparsed user_agent string. + multi_fields: + - name: text + type: match_only_text + name: user_agent.original + type: keyword +- description: Operating system name, including the version or code name. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.full + type: keyword +- description: Operating system name, without the version. + multi_fields: + - name: text + type: match_only_text + name: user_agent.os.name + type: keyword +- description: Operating system version as a raw string. + name: user_agent.os.version + type: keyword +- description: Version of the user agent. + name: user_agent.version + type: keyword diff --git a/packages/okta/1.10.3/data_stream/system/fields/fields.yml b/packages/okta/1.10.3/data_stream/system/fields/fields.yml new file mode 100755 index 0000000000..88055c4d48 --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/fields/fields.yml @@ -0,0 +1,270 @@ +- name: okta.uuid + title: UUID + type: keyword + description: | + The unique identifier of the Okta LogEvent. +- name: okta.event_type + title: Event Type + type: keyword + description: | + The type of the LogEvent. +- name: okta.version + title: Version + type: keyword + description: | + The version of the LogEvent. +- name: okta.severity + title: Severity + type: keyword + description: | + The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. +- name: okta.display_message + title: Display Message + type: keyword + description: | + The display message of the LogEvent. +- name: okta.actor + title: Actor + type: group + fields: + - name: id + type: keyword + description: | + Identifier of the actor. + - name: type + type: keyword + description: | + Type of the actor. + - name: alternate_id + type: keyword + description: | + Alternate identifier of the actor. + - name: display_name + type: keyword + description: | + Display name of the actor. +- name: okta.client + title: Client + type: group + fields: + - name: ip + type: ip + description: | + The IP address of the client. + - name: user_agent + type: group + fields: + - name: raw_user_agent + type: keyword + description: | + The raw informaton of the user agent. + - name: os + type: keyword + description: | + The OS informaton. + - name: browser + type: keyword + description: | + The browser informaton of the client. + - name: zone + type: keyword + description: | + The zone information of the client. + - name: device + type: keyword + description: | + The information of the client device. + - name: id + type: keyword + description: | + The identifier of the client. +- name: okta.outcome + title: Outcome of the LogEvent. + type: group + fields: + - name: reason + type: keyword + description: | + The reason of the outcome. + - name: result + type: keyword + description: | + The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. +- name: okta.target + title: Target + type: flattened + description: | + The list of targets. + fields: + - name: id + type: keyword + description: | + Identifier of the actor. + - name: type + type: keyword + description: | + Type of the actor. + - name: alternate_id + type: keyword + description: | + Alternate identifier of the actor. + - name: display_name + type: keyword + description: | + Display name of the actor. +- name: okta.transaction + title: Transaction + type: group + fields: + - name: id + type: keyword + description: | + Identifier of the transaction. + - name: type + type: keyword + description: | + The type of transaction. Must be one of "WEB", "JOB". +- name: okta.debug_context + title: Debug Context + type: group + fields: + - name: debug_data + type: group + fields: + - name: device_fingerprint + type: keyword + description: | + The fingerprint of the device. + - name: request_id + type: keyword + description: | + The identifier of the request. + - name: request_uri + type: keyword + description: | + The request URI. + - name: threat_suspected + type: keyword + description: | + Threat suspected. + - name: risk_level + type: keyword + description: | + The risk level assigned to the sign in attempt. + - name: url + type: keyword + description: | + The URL. + - name: flattened + type: flattened + description: | + The complete debug_data object. +- name: okta.authentication_context + title: Authentication Context + type: group + fields: + - name: authentication_provider + type: keyword + description: | + The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + - name: authentication_step + type: integer + description: | + The authentication step. + - name: credential_provider + type: keyword + description: | + The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + - name: credential_type + type: keyword + description: | + The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + - name: issuer + type: array + description: | + The information about the issuer. + fields: + - name: id + type: keyword + description: | + The identifier of the issuer. + - name: type + type: keyword + description: | + The type of the issuer. + - name: external_session_id + type: keyword + description: | + The session identifer of the external session if any. + - name: interface + type: keyword + description: | + The interface used. e.g., Outlook, Office365, wsTrust +- name: okta.security_context + title: Security Context + type: group + fields: + - name: as + type: group + fields: + - name: number + type: integer + description: | + The AS number. + - name: organization + type: group + fields: + - name: name + type: keyword + description: | + The organization name. + - name: isp + type: keyword + description: | + The Internet Service Provider. + - name: domain + type: keyword + description: | + The domain name. + - name: is_proxy + type: boolean + description: | + Whether it is a proxy or not. +- name: okta.request + title: Request + type: group + fields: + - name: ip_chain + type: flattened + fields: + - name: ip + type: ip + description: | + IP address. + - name: version + type: keyword + description: | + IP version. Must be one of V4, V6. + - name: source + type: keyword + description: | + Source information. + - name: geographical_context + type: group + fields: + - name: city + type: keyword + description: The city. + - name: state + type: keyword + description: The state. + - name: postal_code + type: keyword + description: The postal code. + - name: country + type: keyword + description: The country. + - name: geolocation + type: geo_point + description: | + Geolocation information. diff --git a/packages/okta/1.10.3/data_stream/system/manifest.yml b/packages/okta/1.10.3/data_stream/system/manifest.yml new file mode 100755 index 0000000000..442cc16cd2 --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/manifest.yml @@ -0,0 +1,34 @@ +type: logs +title: Okta system logs +streams: + - input: httpjson + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - okta-system + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: Okta system logs + description: Collect Okta system logs diff --git a/packages/okta/1.10.3/data_stream/system/sample_event.json b/packages/okta/1.10.3/data_stream/system/sample_event.json new file mode 100755 index 0000000000..e048970ffb --- /dev/null +++ b/packages/okta/1.10.3/data_stream/system/sample_event.json @@ -0,0 +1,163 @@ +{ + "@timestamp": "2020-02-14T20:18:57.718Z", + "agent": { + "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "data_stream": { + "dataset": "okta.system", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "snapshot": true, + "version": "8.2.1" + }, + "event": { + "action": "user.session.start", + "agent_id_status": "verified", + "category": [ + "authentication", + "session" + ], + "created": "2022-05-18T08:57:39.484Z", + "dataset": "okta.system", + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "ingested": "2022-05-18T08:57:40Z", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "input": { + "type": "httpjson" + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "108.255.197.247", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "108.255.197.247", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "108.255.197.247" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "okta-system" + ], + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } +} \ No newline at end of file diff --git a/packages/okta/1.10.3/docs/README.md b/packages/okta/1.10.3/docs/README.md new file mode 100755 index 0000000000..a791d0c7b3 --- /dev/null +++ b/packages/okta/1.10.3/docs/README.md @@ -0,0 +1,356 @@ +# Okta Integration + +The Okta integration collects events from the Okta API, specifically reading from the Okta System Log API. + +## Logs + +### System + +The Okta System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. This module is implemented using the httpjson input and is configured to paginate through the logs while honoring any rate-limiting headers sent by Okta. + +An example event for `system` looks as following: + +```json +{ + "@timestamp": "2020-02-14T20:18:57.718Z", + "agent": { + "ephemeral_id": "3347d5a2-0d81-41c5-8cbf-a69aebcdb56a", + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "data_stream": { + "dataset": "okta.system", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.3.0" + }, + "elastic_agent": { + "id": "dbc761fd-dec4-4bc7-acec-8e5cb02a0cb6", + "snapshot": true, + "version": "8.2.1" + }, + "event": { + "action": "user.session.start", + "agent_id_status": "verified", + "category": [ + "authentication", + "session" + ], + "created": "2022-05-18T08:57:39.484Z", + "dataset": "okta.system", + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "ingested": "2022-05-18T08:57:40Z", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "input": { + "type": "httpjson" + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "108.255.197.247", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "108.255.197.247", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "108.255.197.247" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "ip": "108.255.197.247", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6" + } + }, + "tags": [ + "preserve_original_event", + "forwarded", + "okta-system" + ], + "user": { + "full_name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.user.full_name | User's full name, if available. | keyword | +| client.user.full_name.text | Multi-field of `client.user.full_name`. | match_only_text | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| okta.actor.alternate_id | Alternate identifier of the actor. | keyword | +| okta.actor.display_name | Display name of the actor. | keyword | +| okta.actor.id | Identifier of the actor. | keyword | +| okta.actor.type | Type of the actor. | keyword | +| okta.authentication_context.authentication_provider | The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. | keyword | +| okta.authentication_context.authentication_step | The authentication step. | integer | +| okta.authentication_context.credential_provider | The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. | keyword | +| okta.authentication_context.credential_type | The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. | keyword | +| okta.authentication_context.external_session_id | The session identifer of the external session if any. | keyword | +| okta.authentication_context.interface | The interface used. e.g., Outlook, Office365, wsTrust | keyword | +| okta.authentication_context.issuer.id | The identifier of the issuer. | keyword | +| okta.authentication_context.issuer.type | The type of the issuer. | keyword | +| okta.client.device | The information of the client device. | keyword | +| okta.client.id | The identifier of the client. | keyword | +| okta.client.ip | The IP address of the client. | ip | +| okta.client.user_agent.browser | The browser informaton of the client. | keyword | +| okta.client.user_agent.os | The OS informaton. | keyword | +| okta.client.user_agent.raw_user_agent | The raw informaton of the user agent. | keyword | +| okta.client.zone | The zone information of the client. | keyword | +| okta.debug_context.debug_data.device_fingerprint | The fingerprint of the device. | keyword | +| okta.debug_context.debug_data.flattened | The complete debug_data object. | flattened | +| okta.debug_context.debug_data.request_id | The identifier of the request. | keyword | +| okta.debug_context.debug_data.request_uri | The request URI. | keyword | +| okta.debug_context.debug_data.risk_level | The risk level assigned to the sign in attempt. | keyword | +| okta.debug_context.debug_data.threat_suspected | Threat suspected. | keyword | +| okta.debug_context.debug_data.url | The URL. | keyword | +| okta.display_message | The display message of the LogEvent. | keyword | +| okta.event_type | The type of the LogEvent. | keyword | +| okta.outcome.reason | The reason of the outcome. | keyword | +| okta.outcome.result | The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. | keyword | +| okta.request.ip_chain.geographical_context.city | The city. | keyword | +| okta.request.ip_chain.geographical_context.country | The country. | keyword | +| okta.request.ip_chain.geographical_context.geolocation | Geolocation information. | geo_point | +| okta.request.ip_chain.geographical_context.postal_code | The postal code. | keyword | +| okta.request.ip_chain.geographical_context.state | The state. | keyword | +| okta.request.ip_chain.ip | IP address. | ip | +| okta.request.ip_chain.source | Source information. | keyword | +| okta.request.ip_chain.version | IP version. Must be one of V4, V6. | keyword | +| okta.security_context.as.number | The AS number. | integer | +| okta.security_context.as.organization.name | The organization name. | keyword | +| okta.security_context.domain | The domain name. | keyword | +| okta.security_context.is_proxy | Whether it is a proxy or not. | boolean | +| okta.security_context.isp | The Internet Service Provider. | keyword | +| okta.severity | The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. | keyword | +| okta.target.alternate_id | Alternate identifier of the actor. | keyword | +| okta.target.display_name | Display name of the actor. | keyword | +| okta.target.id | Identifier of the actor. | keyword | +| okta.target.type | Type of the actor. | keyword | +| okta.transaction.id | Identifier of the transaction. | keyword | +| okta.transaction.type | The type of transaction. Must be one of "WEB", "JOB". | keyword | +| okta.uuid | The unique identifier of the Okta LogEvent. | keyword | +| okta.version | The version of the LogEvent. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.id | Unique identifier of the user. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/okta/1.10.3/img/filebeat-okta-dashboard.png b/packages/okta/1.10.3/img/filebeat-okta-dashboard.png new file mode 100755 index 0000000000..6a28b4363b Binary files /dev/null and b/packages/okta/1.10.3/img/filebeat-okta-dashboard.png differ diff --git a/packages/okta/1.10.3/img/okta-logo.svg b/packages/okta/1.10.3/img/okta-logo.svg new file mode 100755 index 0000000000..d806cb7dc6 --- /dev/null +++ b/packages/okta/1.10.3/img/okta-logo.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..d8725c4d60 --- /dev/null +++ b/packages/okta/1.10.3/kibana/dashboard/okta-749203a0-67b1-11ea-a76f-bf44814e437d.json @@ -0,0 +1,54 @@ +{ + "attributes": { + "description": "Logs Okta integration Kibana dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":26.54701,\"lon\":-44.69098,\"zoom\":2.75},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8013824b-5a66-494c-acc5-3df8b7678879\",\"panelRefName\":\"panel_0\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"w\":10,\"x\":0,\"y\":22},\"panelIndex\":\"c6a66fe5-21a2-4308-8563-d4a7f5135d25\",\"panelRefName\":\"panel_1\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"w\":9,\"x\":10,\"y\":22},\"panelIndex\":\"195db901-dc2b-4b7d-80c3-742e2712ac2a\",\"panelRefName\":\"panel_2\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"w\":19,\"x\":29,\"y\":22},\"panelIndex\":\"dc5128e2-0b4d-4dd5-bbc2-624f64467a77\",\"panelRefName\":\"panel_3\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"w\":10,\"x\":19,\"y\":22},\"panelIndex\":\"a25a43ed-3262-486c-a482-1fac52f26128\",\"panelRefName\":\"panel_4\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"w\":48,\"x\":0,\"y\":33},\"panelIndex\":\"c0d5bac3-7e50-4ef9-a401-5a596ec84ee9\",\"panelRefName\":\"panel_5\",\"version\":\"8.0.0-SNAPSHOT\"}]", + "timeRestore": false, + "title": "[Logs Okta] Overview", + "version": 1 + }, + "id": "okta-749203a0-67b1-11ea-a76f-bf44814e437d", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", + "name": "panel_0", + "type": "map" + }, + { + "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", + "name": "panel_5", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..916a10ca30 --- /dev/null +++ b/packages/okta/1.10.3/kibana/map/okta-281ca660-67b1-11ea-a76f-bf44814e437d.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\" \"},\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"filterByMapBounds\":false,\"geoField\":\"client.geo.location\",\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\",\"sortField\":\"\",\"sortOrder\":\"desc\",\"tooltipProperties\":[],\"topHitsSize\":1,\"type\":\"ES_SEARCH\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":26.54701,\"lon\":-44.69098},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"zoom\":2.75}", + "title": "Geolocation [Logs Okta]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "id": "okta-281ca660-67b1-11ea-a76f-bf44814e437d", + "migrationVersion": { + "map": "7.9.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..35112753e0 --- /dev/null +++ b/packages/okta/1.10.3/kibana/search/okta-21028750-67ca-11ea-a76f-bf44814e437d.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.outcome\",\"negate\":false,\"params\":{\"query\":\"FAILURE\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.outcome\":\"FAILURE\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ], + [ + "event.created", + "desc" + ] + ], + "title": "Okta Failure Events", + "version": 1 + }, + "id": "okta-21028750-67ca-11ea-a76f-bf44814e437d", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..e31342b53d --- /dev/null +++ b/packages/okta/1.10.3/kibana/visualization/okta-0a784b30-67c7-11ea-a76f-bf44814e437d.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Actor Types [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.actor.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Actor Types [Logs Okta]\",\"type\":\"pie\"}" + }, + "id": "okta-0a784b30-67c7-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..c1c400b37c --- /dev/null +++ b/packages/okta/1.10.3/kibana/visualization/okta-545d6a00-67ae-11ea-a76f-bf44814e437d.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Event Outcome [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Event Outcome [Logs Okta]\",\"type\":\"pie\"}" + }, + "id": "okta-545d6a00-67ae-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..beb76986ed --- /dev/null +++ b/packages/okta/1.10.3/kibana/visualization/okta-7c6ec080-67c6-11ea-a76f-bf44814e437d.json @@ -0,0 +1,32 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"okta.system\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "title": "Transaction Types [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"okta.transaction.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Transaction Types [Logs Okta]\",\"type\":\"pie\"}" + }, + "id": "okta-7c6ec080-67c6-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json b/packages/okta/1.10.3/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json new file mode 100755 index 0000000000..4e314cfd4c --- /dev/null +++ b/packages/okta/1.10.3/kibana/visualization/okta-cda883a0-67c6-11ea-a76f-bf44814e437d.json @@ -0,0 +1,21 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "Time Series [Logs Okta]", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"abd68650-67c6-11ea-8c7d-ed286611413e\"}],\"default_index_pattern\":\"logs-*\",\"default_timefield\":\"@timestamp\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"logs-*\",\"interval\":\"\",\"isModelInvalid\":false,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"okta.system\\\"\"},\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"point_size\":1,\"separate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"type\":\"timeseries\"},\"title\":\"Time Series [Logs Okta]\",\"type\":\"metrics\"}" + }, + "id": "okta-cda883a0-67c6-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/okta/1.10.3/manifest.yml b/packages/okta/1.10.3/manifest.yml new file mode 100755 index 0000000000..31fa7decc6 --- /dev/null +++ b/packages/okta/1.10.3/manifest.yml @@ -0,0 +1,77 @@ +name: okta +title: Okta +version: 1.10.3 +release: ga +description: Collect and parse event logs from Okta API with Elastic Agent. +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ^7.14.0 || ^8.0.0 +icons: + - src: /img/okta-logo.svg + title: Okta + size: 216x216 + type: image/svg+xml +screenshots: + - src: /img/filebeat-okta-dashboard.png + title: Okta Dashboard + size: 1024x662 + type: image/png +policy_templates: + - name: okta + title: Okta logs + description: Collect logs from Okta + inputs: + - type: httpjson + vars: + - name: api_key + type: text + title: API Key + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + multi: false + required: false + show_user: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 60s + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: true + - name: url + type: text + title: Okta System Log API Url + multi: false + required: true + show_user: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + title: "Collect Okta logs via API" + description: "Collecting logs from Okta via API" +owner: + github: elastic/security-external-integrations